How to secure the JMX Console?

So our security scans on the Livesite server found a JMX Admin Console that is wide open.

http://localhost:9080/jmx-console/

You can also replace localhost with the IP address of the server and access it remotely.

I found this article:

http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/Inspecting_the_Server___the_JMX_Console_Web_Application-Securing_the_JMX_Console.html

That explains how to secure the console with basic authentication, however, the problem I have is that I don't know which files in which dirs to edit.

For example, if I search for web.xml in Interwoven dir it returns 26 web.xml files.

Can someone point me in the right direction?

Find more posts tagged with

Comments

Adam Stoller

You should be able to narrow down your search - my guess is that it would be located somewhere within IWHOME/local/config/lib/content_center probably within a subdir named something like livesite_customer_src (I'm not looking at a TS server right now)

Assuming you find it and make the appropriate entry in it - you would then need to rebuild the toolkit using the method prescribed in the LiveSite manuals.

GRD

I have not done this, but you should be able to restrict access by editing the jmx-console.war/WEB-INF/web.xml file. In fact, in 7.2.1 (and probably 7.2) there is a sample entry on enabling authentication, but it's commented out.

INSTALL_PREFIX/ApplicationContainer/server/default/deploy/jmx-console.war/WEB-INF/web.xml

In the default installation, editing the web.xml should cause the app to redeploy within about 5 seconds or so. if you are successful, please post back here so others know. This is arguably something that should be enabled by default.

You can also consult the JBoss community docs.

-Greg

srosewall

It should be noted that this is in the back-end (TeamSite environment).
When you mentioned that you scanned the LiveSite server, I assume you meant to say the TeamSite server which is running SitePublisher (LiveSite development) - please confirm.

And note; it's not only LiveSite in the authoring (development) environment that's prone to this vulnerability - all of the applications which use JBoss in the back-end are similarly impacted because they share the same JBoss instance.

The LiveSite Display Services runtime environment isn't open to this insecurity as, generally speaking, it doesn't use JBoss unless you specifically elect to do so (and even then I'm not sure that JBoss is actually supported in the runtime at the moment anyway).

If you need to secure you're JBoss hosted applications in the back-end from accidental/malicious interference, then you should also try to secure the JBoss web-console at the same time as the jmx-console (same port); there's a trick in the web-console which allows anyone who can access the URL to stop JBoss which is probably not such as good thing...

Regards,

k1DBLITZ

GRD, that is the correct path you listed:

INSTALL_PREFIX/ApplicationContainer/server/default/deploy/jmx-console.war/WEB-INF/web.xml

After modifying the web.xml I was then able to configure the password in the jmx-console-users.properties which was located in:

/ApplicationContainer/server/default/conf/props

I then verified that accessing:

http://localhost:9080/jmx-console/

Prompted for authentication and that I could login successfully using the UID and password configured.

Srosewall, this is on the LiveSite server that is in our WebDMZ. Our website uses components that require the LiveSite runtime in order to be rendered.

srosewall

Srosewall, this is on the LiveSite server that is in our WebDMZ. Our website uses components that require the LiveSite runtime in order to be rendered.

So your LiveSite server is using JBoss?

I presume you installed the Application Container (JBoss) from the Autonomy installer and then installed LiveSite.
I must admit, that bit sent me off-track because I've only seen the Application Container used with TeamSite and LSCS Authoring etc.
(that's what made me think that we were talking about the back-end rather than the runtime)

As mentioned, according to the information I have to hand, JBoss isn't supported for the LiveSite runtime environment, although it probably works a treat.
You may have done so already, but I would check with Autonomy to make sure they will support you with this configuration.

And I believe my web-console comment is still valid...

Regards,