Set MessageSucker Password
This topic has not yet been written. The content below is from the topic description.
check if a problem in HQ EAP6 Set MessageSucker Password Messages are replicated via clustered queues via the MessageSucker component. The MessageSucker requires that the default JBM.SUCKER user be authenticated before queue connections can be created. By default, the MessageSucker password “CHANGE ME!!” is used for authenticating connections. This password must be changed to properly secure clustered messaging. On both node1 and node2, you should have seen the following warning during server startup: The full text of the warning is: WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component which sucks messages from one node to another has not had its password changed from the installation default. Please see the JBoss Messaging user guide for instructions on how to do this. This warning indicates that the JMS MessageSucker is using the default authentication password for the predefined user JBM.SUCKER. A new encrypted password must be used to properly secure clustered messaging production systems. The steps to secure your MessageSucker password are summarized by (1) create a keystore, (2) create an encrypted client password, (3) create an analogous encrypted server password, and (4) update your configuration files with the encrypted passwords. Create a Keystore NOTE: For more information on setting up a keystore, please see section 16.2 of the EAP Security Guide at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/. NOTE: These instructions assume you are using the preconfigured password masking defaults. To change these defaults, please see section 16.6 of the EAP Security Guide at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/. This provides one additional layer of security for your overall password masking implementation. This paper will note any changes reflected by executing these optional steps. (For Linux/UNIZ users) Change to the JBoss production user: su - ${JBoss_PROD_USER} (For Windows users) You should perform the following steps as a privileged user. Go to the ${JBoss_HOME}/bin/password directory. Execute the following command: keytool -genkey -alias JBoss -keyalg RSA -keysize 1024 -keystore ${KEYSTORE_NAME} NOTE: The keytool command is part of your Java JDK installation. If this command is not available, please install the latest supported Java JDK before proceeding. For purposes of these instructions, we will use the keystore named password.keystore: keytool -genkey -alias JBoss -keyalg RSA -keysize 1024 -keystore password.keystore NOTE: If you executed the optional instructions for changing your password masking defaults, use the keystore name value chosen for the keyStoreLocation tag. You will be asked a series of questions. The following responses (in bold) are for illustration purposes only. Enter values pertinent to your enterprise: Enter keystore password: mykeystore Re-enter new password: mykeystore What is your first and last name? [Unknown]: JBoss User What is the name of your organizational unit? [Unknown]: JBoss What is the name of your organization? [Unknown]: Red Hat What is the name of your City or Locality? [Unknown]: Raleigh What is the name of your State or Province? [Unknown]: NC What is the two-letter country code for this unit? [Unknown]: US Is CN=JBoss User, OU=JBoss, O=Red Hat, L=Raleigh, ST=NC, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password): You should now see the file named password.keystore (or any alternate name you used) in your password directory. Change the keystore permissions to be accessible by the production user: (For Linux/UNIX users) chmod 600 password.keystore (For Windows users) Use the appropriate administration consoles to set the user permissions to reflect Read/Write for the JBoss user only. Encrypt the Keystore Password NOTE: For more information on encrypting the keystore password, please see section 16.3 of the EAP Security Guide at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/. Go to the ${JBoss_HOME}/bin directory. Execute the following command: (For Linux/UNIX users) ./password_tool.sh (For Windows users) password_tool.bat You will be asked a series of questions. The following responses (in bold) are for illustration purposes only. Enter values analogous to your responses to the previous section: Error while trying to load data:Encrypted password file not located Maybe it does not exist and need to be created. 0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password 3: Remove a domain 4:Enquire Domain 5:Exit 0 Enter Keystore password mykeystore (or the password used for the previous steps) Enter Salt (String should be at least 8 characters) SomeVeryLongString (recommend using a complex string) Enter Iterator Count (integer value) 111 (larger iterator counts reflect password strength) Keystore Password encrypted into password/JBoss_keystore_pass.dat 0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password 3: Remove a domain 4:Enquire Domain 5:Exit 5 org.JBoss.security.integration.password.PasswordTool$ShutdownHook run called Keystore is null. Cannot store. (This is expected.) You should now see a file named JBoss_keystore_pass.dat in your ${JBoss_HOME} /bin/password directory. Change the file permissions to be accessible by the production user: (For Linux/UNIX users) chmod 600 JBoss_keystore_pass.dat (For Windows users) Use the appropriate administration consoles to set the user permissions to reflect Read/Write for the JBoss user only. NOTE: If you executed the optional steps to change your password masking defaults, the file name will reflect the value chosen for the keyStorePasswordEncryptedFileName tag. Create the Client-side Masked MessageSucker Password NOTE: For more information on creating a masked password, please see section 16.4 of the EAP Security Guide at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/. Go to the ${JBoss_HOME}/bin directory. Execute the following command: (For Linux/UNIX users) ./password_tool.sh (For Windows users) password_tool.bat You will be asked a series of questions. The following responses (in bold) are for illustration purposes only. Enter values analogous to your responses to the previous section: Error while trying to load data:Encrypted password file not located Maybe it does not exist and need to be created. 0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password 3: Remove a domain 4:Enquire Domain 5:Exit 1 Enter Keystore location including the file name password/password.keystore (or the value of your keystore location) Enter Keystore alias JBoss (If you executed the optional steps for modifying the password masking defaults, use the value chosen for the keyStoreAlias tag.) 0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password 3: Remove a domain 4:Enquire Domain 5:Exit 2 Enter security domain: messaging (for JMS messaging) Enter passwd: mypassword (use a strong password) Password created for domain:messaging 0: Encrypt Keystore Password 1:Specify KeyStore 2:Create Password 3: Remove a domain 4:Enquire Domain 5:Exit 5 org.JBoss.security.integration.password.PasswordTool$ShutdownHook run called Storing domains [ messaging, ] You should now see a file named JBoss_password_enc.dat in your ${JBoss_HOME} /bin/password directory. Change the file permissions to be accessible by the production user: (For Linux/UNIX users) chmod 600 JBoss_password_enc.dat (For Windows users) Use the appropriate administration consoles to set the user permissions to reflect Read/Write for the JBoss user only. NOTE: If you executed the optional steps to change your password masking defaults, the file name will reflect the value chosen for the passwordEncryptedFileName tag. Create the Server-side Encoded MessageSucker Password NOTE: At the date of this publication, the EAP documentation does not include this step for creating a server-side encoded MessageSucker password. Similar instructions, though, may be found in section 4.3 of the Enterprise Portal Platform Installation Guide at http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Portal_Platform/5.1/html/Installation_Guide/. Go to the ${JBoss_HOME}/client directory Execute the following: java -cp "JBoss-messaging-client.jar" org.JBoss.messaging.util.SecurityUtil ${PASSWORD} Substitute the ${PASSWORD} parameter with the same password used for creating the masked client-side password. For this example, we will continue to use the simple phrase mypassword. java -cp "JBoss-messaging-client.jar" org.JBoss.messaging.util.SecurityUtil mypassword Your output will look something like the following: key len: 14 length max: 128 Encoded password: -74841e4946ff6d53bdb41dc3ed9479d3 Record the encoded password. Update the MessageSucker Password Configurations Using your editor of choice, open the file ${JBoss_HOME}/server/node1/deploy/messaging/messaging-JBoss-beans.xml. Locate the following XML bean tag (around line 30): Modify the file by (1) removing the suckerPassword default password setting, and (2) uncommenting the annotation tag. The resulting tag should be as below: Save and close the file. The MessageSucker can now access the client-side masked password via the messaging domain. Using your editor of choice, open the file ${JBoss_HOME}/server/node1/deploy/messaging/messaging-service.xml. Locate the following commented-out XML attribute tag (around line 89): Uncomment the tag, and add the recorded masked client-side password from the section Create the Server-side Encoded MessageSucker Password. The resulting tag should be similar to the example below: Save and close the file. The MessageSucker should now be able to access the client-side encoded password. Test your changes by restarting the node1 server: (For Linux/UNIX) ${JBoss_HOME}/bin/run.sh -c node1 (For Windows) ${JBoss_HOME}/bin/run.bat -c node1 You should start up without any errors. When startup is complete, you should see the following message near the middle of the log output: You should also see the following near the end of the log output: If node1 started up without errors, proceed to the next step. If it did not, go back and verify that each step was executed properly before continuing. Use Control-C to shut down node1. Now that your node1 configuration files are properly set, you only need to copy these files to your node2 server to complete your MessageSucker setup: (For Linux/UNIX) cp -r ${JBoss_HOME}/server/node1/deploy/messaging/messaging-* ${JBoss_HOME}/server/node2/messaging/ (For Windows) copy ${JBoss_HOME}\server\node1\deploy\messaging\messaging-* ${JBoss_HOME}\server\node2\deploy\messaging\