Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Additional Digitool JBOSS Hardening

    • Product: Digitool
    • Product Version: All Versions
    • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare

     

    Overview

    These steps have been developed and certified to mitigate several known security issues in the JBOSS component running in Digitool.

    These hardening steps should be implemented in addition to the steps described in the article linked below:

    Securing JBoss Web Console JMX Invoker in Digitool

    Instructions

    Step One - Backup

    To backup the JBOSS deployment you may make a compressed copy thus:

    cd /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/
    tar -zcvf server_backup.tar.gz server
    
    Step Two - Remove components

    These components must be removed entirely. It is not sufficient to change their names

    From this path:

    /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy  (Alias: jb_deploy)

    Remove the following:

    jmx-console.war

    uuid-key-generator.sar

    mail-service.xml

    scheduler-service.xml

    schedule-manager-service.xml

    sqlexception-service.xml

    jboss-xa-jdbc.rar

    management/

    hsqldb-ds.xml

    From this path:

    /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/lib

    Remove the following:

    scheduler-plugin-example.jar

    scheduler-plugin.jar

    Step Three - Edit files

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/login-config.xml
    make the following changes:

            <!-- Security domain for JBossMQ -->
            <application-policy name = "jbossmq">
                    <authentication>
                            <login-module code = 
                                    "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = 
                                    "required">
                                    <!-- Comment out this tag
                                    <module-option name = "unauthenticatedIdentity">
                                            guest</module-option>
                                    -->
                                    <!-- Comment out this tag and replace with new version in green below
                                    <module-option name = "dsJndiName">
                                            java:/DefaultDS</module-option>
                                    -->
                                    <module-option name = "dsJndiName">
                                            java:/jdbc/LibraryDS</module-option>
                                    <module-option name = "principalsQuery">SELECT PASSWD FROM 
                                            JMS_USERS WHERE USERID=?</module-option>
                                    <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM 
                                            JMS_ROLES WHERE USERID=?</module-option>
                            </login-module>
                    </authentication>
            </application-policy>
            <!-- Security domains for testing new jca framework -->
            <!-- Comment out this tag
            <application-policy name = "HsqlDbRealm">
                    <authentication>
                            <login-module code = 
                                    "org.jboss.resource.security.ConfiguredIdentityLoginModule" 
                                    flag = "required">
                                    <module-option name = "principal">sa</module-option>
                                    <module-option name = "userName">sa</module-option>
                                    <module-option name = "password"></module-option>
                                    <module-option name = "managedConnectionFactoryName">
                                            jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                            </login-module>
                    </authentication>
            </application-policy>
             -->

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy/jbossweb-tomcat.sar/web.xml

    Make the following changes:

        <servlet>
            <servlet-name>jsp</servlet-name>
            <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
            <init-param>
                <param-name>fork</param-name>
                <param-value>false</param-value>
            </init-param>
            <init-param>
                <param-name>xpoweredBy</param-name>
                <param-value>false</param-value>
            </init-param>
            <load-on-startup>3</load-on-startup>
    
            <!-- Add the tag in green below -->
            <init-param>
                <param-name>development</param-name>
                <param-value>false</param-value>
            </init-param>
        </servlet>
    

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/jboss-service.xml
    Make the Following changes:

    <!-- ==================================================================== -->
       <!-- Class Loading                                                        -->
       <!-- ==================================================================== -->
    
       <mbean code="org.jboss.web.WebService"
          name="jboss:service=WebService">
          <attribute name="Port">4801</attribute>
          <!-- Should resources and non-EJB classes be downloadable NO! - change attribute from true to false as in red below -->
          <attribute name="DownloadServerClasses">false</attribute>
          <attribute name="Host">${jboss.bind.address}</attribute>
          <attribute name="BindAddress">${jboss.bind.address}</attribute>
       </mbean>
    
    Step Four - Restart JBOSS

    In the terminal as dtl user:

    j_bin
    ./jboss_shutdown.sh
    ./jboss_startup.sh
    

     


    • Article last edited: 11-Feb-2018
    • Was this article helpful?
    //Feedback