If you are using CA IdentityMinder with JBOSS then you need to secure the config files. No one wants to have clear text database passwords just sitting out there in text files. I went through the CA documentation to set this up and found a few gaps and missing steps that I am going to lay out here.
For your reference the CA instructions I used were the r12.6 Bookshelf.
Here are the sections you need to follow, all are in the Configuration Guide
– Create a JDBC Data Source for JBOSS Application Servers
– Use a JBOSS Security Realm for the JDBC Data Source
– The Password Tool
Here are the 3 files you will need to edit and use.
– < jboss-home >\server\default\deploy\userstore-ds.xml
– < jboss-home >\server\default\conf\login-config.xml
– < iam install home >CA\Identity Manager\IAM Suite\Identity Manager\tools\PasswordTool\pwdtools.bat
There are things in the steps that are incorrect and left out so be aware as you edit or go look for files that don’t exist.
Before you begin you need to generate the encrypted password. The Password Tool instructions are straight forward. If you are using FIPS follow those instructions, if you are not just use the plain text instructions and copy the encrypted string in the config below.
Use a JBOSS Security Realm for the JDBC Data Source – Corrections
- Step 1 correction – The user/password step it refers to is actually Step 5 not Step 4 in the Create a JDBC Data Source For JBOSS Application Servers.
- Step 2 says to open login-cfg.xml – the file is called login-config.xml
- Step 4 has you infer the < policy > < /policy > tags, there is no < policy > rather it’s the < application-policy > < /application-policy > tags.
One other thing to note when it comes to the names, IdentityMinder appends information from your install infront of the policy names, xml files, etc… for example instead of just imuserstoredb you will see something like iam_im-imuserstoredb. To remain consistent rename the imobjectstoredb to imuserstoredb text, leave the first part alone. This is true for both the Security Realm and Data Source instructions.
Copy and Paste the < application-policy > section and edit it. Paste in your encrypted password and make the changes below.
This is your Realm name.
< application-policy name="iam_im-imuserstoredb” >
This is the UserStore Name you have in userstore-ds.xml.
< module-option name="managedConnectionFactoryName" >
< /module-option >
The instructions says to save and restart but you may not be finished yet!!! Double check the userstore-ds.xml and get that ready to use the realm.
userstore-ds.xml (remove the UserName and Password tags if you had them in there previously)
The name you used in the login-config.xml
< jndi-name >YourUserStoreName< /jndi-name >
Make sure the security-domain section is not commented out. Also make sure you changed the security-domain to use the new userstore db and it’s not set to the object store. Also like I said before, delete the clear text username and password in this file.
< security-domain >iam_im-imuserstoredb< /security-domain >
< check-valid-connection-sql >SELECT 1< /check-valid-connection-sql >
< validate-on-match >false< /validate-on-match >
< background-validation >true< /background-validation >
< idle-timeout-minutes >5< /idle-timeout-minutes >
< background-validation-millis >120000< /background-validation-millis >
Restart and check the server.log to see if the environment started. You will see a flood of errors if it’s wrong. Since there are only 3 things you are touching it’s pretty easy to fix.
Make backups before you start and it’s pretty simple once you get the right files and edits made.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.