Additional Digitool JBOSS Hardening

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Product: Digitool
Product Version: All Versions
Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare

Overview

These steps have been developed and certified to mitigate several known security issues in the JBOSS component running in Digitool.

These hardening steps should be implemented in addition to the steps described in the article linked below:

Securing JBoss Web Console JMX Invoker in Digitool

Instructions

Step One - Backup

To backup the JBOSS deployment you may make a compressed copy thus:

cd /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/
tar -zcvf server_backup.tar.gz server

Step Two - Remove components

These components must be removed entirely. It is not sufficient to change their names

From this path:

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy (Alias: jb_deploy)

Remove the following:

jmx-console.war

uuid-key-generator.sar

mail-service.xml

scheduler-service.xml

schedule-manager-service.xml

sqlexception-service.xml

jboss-xa-jdbc.rar

management/

hsqldb-ds.xml

From this path:

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/lib

Remove the following:

scheduler-plugin-example.jar

scheduler-plugin.jar

Step Three - Edit files

In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/login-config.xml
make the following changes:

        <!-- Security domain for JBossMQ -->
        <application-policy name = "jbossmq">
                <authentication>
                        <login-module code = 
                                "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = 
                                "required">
                                <!-- Comment out this tag
                                <module-option name = "unauthenticatedIdentity">
                                        guest</module-option>
                                -->
                                <!-- Comment out this tag and replace with new version in green below
                                <module-option name = "dsJndiName">
                                        java:/DefaultDS</module-option>
                                -->
                                <module-option name = "dsJndiName">
                                        java:/jdbc/LibraryDS</module-option>
                                <module-option name = "principalsQuery">SELECT PASSWD FROM 
                                        JMS_USERS WHERE USERID=?</module-option>
                                <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM 
                                        JMS_ROLES WHERE USERID=?</module-option>
                        </login-module>
                </authentication>
        </application-policy>
        <!-- Security domains for testing new jca framework -->
        <!-- Comment out this tag
        <application-policy name = "HsqlDbRealm">
                <authentication>
                        <login-module code = 
                                "org.jboss.resource.security.ConfiguredIdentityLoginModule" 
                                flag = "required">
                                <module-option name = "principal">sa</module-option>
                                <module-option name = "userName">sa</module-option>
                                <module-option name = "password"></module-option>
                                <module-option name = "managedConnectionFactoryName">
                                        jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
                        </login-module>
                </authentication>
        </application-policy>
         -->

In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy/jbossweb-tomcat.sar/web.xml

Make the following changes:

    <servlet>
        <servlet-name>jsp</servlet-name>
        <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
        <init-param>
            <param-name>fork</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>xpoweredBy</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>3</load-on-startup>

        <!-- Add the tag in green below -->
        <init-param>
            <param-name>development</param-name>
            <param-value>false</param-value>
        </init-param>
    </servlet>

In file /exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/jboss-service.xml
Make the Following changes:

<!-- ==================================================================== -->
   <!-- Class Loading                                                        -->
   <!-- ==================================================================== -->

   <mbean code="org.jboss.web.WebService"
      name="jboss:service=WebService">
      <attribute name="Port">4801</attribute>
      <!-- Should resources and non-EJB classes be downloadable NO! - change attribute from true to false as in red below -->
      <attribute name="DownloadServerClasses">false</attribute>
      <attribute name="Host">${jboss.bind.address}</attribute>
      <attribute name="BindAddress">${jboss.bind.address}</attribute>
   </mbean>

Step Four - Restart JBOSS

In the terminal as dtl user:

j_bin
./jboss_shutdown.sh
./jboss_startup.sh

Article last edited: 11-Feb-2018