Skip to main content
ExLibris

Knowledge Assistant

BETA
Back
DigiTool

 

Ex Libris Knowledge Center
  1. Search site
    Go back to previous article
    1. Sign in
      • Sign in
      • Forgot password
  1. Home
  2. DigiTool
  3. Knowledge Articles
  4. Securing JBoss Web Console JMX Invoker in Digitool

Securing JBoss Web Console JMX Invoker in Digitool

  1. Last updated
  2. Save as PDF
  3. Share
    1. Share
    2. Tweet
    3. Share
  1. Overview
  2. Goal - Secure the JBOSS (JMX) web console invoker in Digitool
  3. Implement the fix
    1. Step 1 - Remove http-invoker.sar
    2. Step 2 - Download this file from the Digitool server to your PC
    3. Step 3 - Copy directory
    4. Step 4 - Edit this file
    5. Step 5 – Stop and start JBOSS
  4. Attachment

Overview

A remote unauthenticated attacker can use the Web Console's JMX Invoker to perform management tasks using the MBean interfaces that are available in the underlying JBoss installation. A zip file is attached to the article with the instructions necessary to mitigate this vulnerability, and includes configuration files which need to be added.

Goal - Secure the JBOSS (JMX) web console invoker in Digitool

The JBOSS deploy path can be located on the Digitool server
At the console type:
>jb_deploy
This will change to the deploy directory. Eg.:
/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy
You will need to adjust this path if it differs from these instructions.

 

Implement the fix

Step 1 - Remove http-invoker.sar

Remove http-invoker.sar/ from the deploy path.

It is not sufficient to change the name it must be either deleted or moved outside the deploy path, eg. to /tmp

Step 2 - Download this file from the Digitool server to your PC

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/deploy/management/web-console.war
Extract the following two files from web-console.war (using Total Commander for example or other archive extractor) and edit as follows:
 
WEB-INF/web.xml
Uncomment the security-constraint block and add a <login-config> block after the end of the <security-constraint> block (if not already present).
  <security-constraint>
   <web-resource-collection>
   <web-resource-name>HtmlAdaptor</web-resource-name>
   <description>An example security config that only allows users with the
   role JBossAdmin to access the HTML JMX console web application
   </description>
   <url-pattern>/*</url-pattern>
   <http-method>GET</http-method>
   <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
   <role-name>JBossAdmin</role-name>
   </auth-constraint>
   </security-constraint>
 
 
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss WEB Console</realm-name>
   </login-config>

(Find example of this file in secure_web-invoker.zip attached to article)
 
WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)
  
   <security-domain>java:/jaas/web-console</security-domain>
(Find example of this file in secure_web-invoker.zip attached to article)
 
Replace the files in  web-console.war on the Digitool server with the edited versions.

Step 3 - Copy directory

In secure_web-invoker.zip you will find a directory “props”.
Copy it to this path on the Digitool server:
/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/props

Step 4 - Edit this file

/exlibris/dtl/j3_1/digitool/home/system/thirdparty/openserver/server/default/conf/login-config.xml
Change the path in these sections to the versions in the new “props” directory by adding “props/” to the front of the path:
<application-policy name = "jmx-console">
              <authentication>
                     <login-module 
                           code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = 
                           "required">
                           <module-option name="usersProperties">
                                  props/jmx-console-users.properties</module-option>
                           <module-option name="rolesProperties">
                                  props/web-console-roles.properties</module-option>
                     </login-module>
              </authentication>
       </application-policy>
 
 
       <application-policy name = "web-console">
              <authentication>
                     <login-module 
                           code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = 
                           "required">
                           <module-option name="usersProperties">
                                  props/web-console-users.properties</module-option>
                           <module-option name="rolesProperties">
                                  props/web-console-roles.properties</module-option>
                     </login-module>
              </authentication>
       </application-policy>

(Find example of this file in secure_web-invoker.zip attached to article)

Step 5 – Stop and start JBOSS

$jdtlh_bin/jboss_shutdown.sh
$jdtlh_bin/jboss_startup.sh

Attachment

Download secure_web-invoker.zip from this link:

View article in the Exlibris Knowledge Center
  1. Back to top
    • Scheduled harvests are not running, and can't start the batch queue
    • Security vulnerability issues – Basic troubleshooter
  • Was this article helpful?

Recommended articles

  1. Article type
    How-To
    Content Type
    Knowledge Article
    Language
    English
    Product
    DigiTool
  2. Tags
    1. Java
    2. Security
  1. © Copyright 2025 Ex Libris Knowledge Center
  2. Powered by CXone Expert ®
  • Term of Use
  • Privacy Policy
  • Contact Us
2025 Ex Libris. All rights reserved