Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-4550

Post install config incorrect: JBM Suckerpassword section

    XMLWordPrintable

Details

    • Hide

      Install the platform

      jboss-as/bin/run.sh -c all

      Observe the JBM authentication error.

      Edit the messaging-jboss-beans.xml of the all profile, as per the install guide.

      run.sh -c all

      Observe the message still there.

      edit messaging-service.xml of the all profile, and set the suckerPassword to match the one in messaging-jboss-beans.xml

      run.sh -c all

      observe no error

      Show
      Install the platform jboss-as/bin/run.sh -c all Observe the JBM authentication error. Edit the messaging-jboss-beans.xml of the all profile, as per the install guide. run.sh -c all Observe the message still there. edit messaging-service.xml of the all profile, and set the suckerPassword to match the one in messaging-jboss-beans.xml run.sh -c all observe no error
    • Documentation (Ref Guide, User Guide, etc.)
    • Hide
      Previously, the Installation Guide provided incorrect information on how to define the SuckerPassword, which is used by nodes during messaging for authentication in clustered environment. With this update, the correct information has been added to the Messaging Guide as the information has been removed from the Installation Guide.
      Show
      Previously, the Installation Guide provided incorrect information on how to define the SuckerPassword, which is used by nodes during messaging for authentication in clustered environment. With this update, the correct information has been added to the Messaging Guide as the information has been removed from the Installation Guide.
    • Documented as Resolved Issue

    Description

      The instructions in section 7.3 of the installation guide, "7.3. Post Installation Security Configuration" are not correct.

      Two things:

      1. "JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified by this parameter suckerPassword in the configuration file:

      $JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-jboss-beans.xml

      To avoid a security risk, you MUST specify the value of the attribute suckerPassword, otherwise the default value will be used. Knowledge of the default password will allow access to any destination on the server. The following fragment should be modified as indicated:"

      When the server is started without changing the suckerPassword first, it throws an error. This error should be mentioned so that it is returned in a search.

      So it should probably be reworded as: "JBoss Messaging authenticates within a cluster using a reserved user account whose password is specified in the configuration file: $JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-jboss-beans.xml.

      This password is specified as the property suckerPassword. By default it is set to "CHANGEME!!". You must change this default password in order to use clustered messaging. You should give all nodes in a cluster the same suckerPassword, so that they will be able to communicate with each other. If you do not change the suckerPassword you will receive an error "javax.jms.JMSSecurityException: User JBM.SUCKER is NOT authenticated" when starting a server profile with clustering enabled."

      ^ That needs to be confirmed by an SME, especially the part about changing the password in order to use clustered messaging. The install guide atm implies that it will work, but will be insecure. The error that is thrown when starting the server without changing the password, however, suggests that it may not work at all.

      OK, so here's the second issue:

      2. Even if you change the suckerPassword as per the directions given, you still get the error. The only way to get rid of the error is to also edit $JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-service.xml and change the suckerPassword in there too.

      It seems to me that the messaging-jboss-beans.xml password is the password that the messaging cluster uses to login; and the messaging-service.xml password is where you set the password that is valid for a login.

      If you set them both to the same thing, the server will start without an error.

      So it seems that our chosen method of addressing the inherent insecurity of default clustering is to set the JBoss Messaging cluster client password to "CHANGEME!!" and the service password to "admin"; so that they don't match, and by default the JBoss messaging cluster will be unable to authenticate.

      Attachments

        1. jmsClient.jar
          88 kB
        2. server.log.gz
          12 kB
        3. server.zip
          15 kB

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBPAPP-4453 Installer: User JBM.SUCKER is NOT authenticated Error

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              ekopalov_jira Eva Kopalova (Inactive)
              jwulf_jira Joshua Wulf (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: