Skip to main content
ExLibris

Knowledge Assistant

BETA
  • Subscribe by RSS
  • Back
    DigiTool

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      1. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. DigiTool
    3. Knowledge Articles
    4. Additional Digitool JBOSS Hardening

    Additional Digitool JBOSS Hardening

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    1. Overview
    2. Instructions
      1. Step One - Backup
      2. Step Two - Remove components
      3. Step Three - Edit files
      4. Step Four - Restart JBOSS
    • Product: Digitool
    • Product Version: All Versions
    • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare

     

    Overview

    These steps have been developed and certified to mitigate several known security issues in the JBOSS component running in Digitool.

    These hardening steps should be implemented in addition to the steps described in the article linked below:

    Securing JBoss Web Console JMX Invoker in Digitool

    Instructions

    Step One - Backup

    To backup the JBOSS deployment you may make a compressed copy thus:

    cd /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/
    tar -zcvf server_backup.tar.gz server
    
    Step Two - Remove components

    These components must be removed entirely. It is not sufficient to change their names

    From this path:

    /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy  (Alias: jb_deploy)

    Remove the following:

    jmx-console.war

    uuid-key-generator.sar

    mail-service.xml

    scheduler-service.xml

    schedule-manager-service.xml

    sqlexception-service.xml

    jboss-xa-jdbc.rar

    management/

    hsqldb-ds.xml

    From this path:

    /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/lib

    Remove the following:

    scheduler-plugin-example.jar

    scheduler-plugin.jar

    Step Three - Edit files

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/login-config.xml
    make the following changes:

            <!-- Security domain for JBossMQ -->
            <application-policy name = "jbossmq">
                    <authentication>
                            <login-module code = 
                                    "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = 
                                    "required">
                                    <!-- Comment out this tag
                                    <module-option name = "unauthenticatedIdentity">
                                            guest</module-option>
                                    -->
                                    <!-- Comment out this tag and replace with new version in green below
                                    <module-option name = "dsJndiName">
                                            java:/DefaultDS</module-option>
                                    -->
                                    <module-option name = "dsJndiName">
                                            java:/jdbc/LibraryDS</module-option>
                                    <module-option name = "principalsQuery">SELECT PASSWD FROM 
                                            JMS_USERS WHERE USERID=?</module-option>
                                    <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM 
                                            JMS_ROLES WHERE USERID=?</module-option>
                            </login-module>
                    </authentication>
            </application-policy>
            <!-- Security domains for testing new jca framework -->
            <!-- Comment out this tag
            <application-policy name = "HsqlDbRealm">
                    <authentication>
                            <login-module code = 
                                    "org.jboss.resource.security.ConfiguredIdentityLoginModule" 
                                    flag = "required">
                                    <module-option name = "principal">sa</module-option>
                                    <module-option name = "userName">sa</module-option>
                                    <module-option name = "password"></module-option>
                                    <module-option name = "managedConnectionFactoryName">
                                            jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                            </login-module>
                    </authentication>
            </application-policy>
             -->

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy/jbossweb-tomcat.sar/web.xml

    Make the following changes:

        <servlet>
            <servlet-name>jsp</servlet-name>
            <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
            <init-param>
                <param-name>fork</param-name>
                <param-value>false</param-value>
            </init-param>
            <init-param>
                <param-name>xpoweredBy</param-name>
                <param-value>false</param-value>
            </init-param>
            <load-on-startup>3</load-on-startup>
    
            <!-- Add the tag in green below -->
            <init-param>
                <param-name>development</param-name>
                <param-value>false</param-value>
            </init-param>
        </servlet>
    

    In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/jboss-service.xml
    Make the Following changes:

    <!-- ==================================================================== -->
       <!-- Class Loading                                                        -->
       <!-- ==================================================================== -->
    
       <mbean code="org.jboss.web.WebService"
          name="jboss:service=WebService">
          <attribute name="Port">4801</attribute>
          <!-- Should resources and non-EJB classes be downloadable NO! - change attribute from true to false as in red below -->
          <attribute name="DownloadServerClasses">false</attribute>
          <attribute name="Host">${jboss.bind.address}</attribute>
          <attribute name="BindAddress">${jboss.bind.address}</attribute>
       </mbean>
    
    Step Four - Restart JBOSS

    In the terminal as dtl user:

    j_bin
    ./jboss_shutdown.sh
    ./jboss_startup.sh
    

     


    • Article last edited: 11-Feb-2018
    View article in the Exlibris Knowledge Center
    1. Back to top
      • DigiTool Customization
      • DigiTool JBoss Vulnerability
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Knowledge Article
      Language
      English
      Product
      DigiTool
    2. Tags
      1. Java
      2. Security
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved