Securing Bedework

Owned by Arlen Johnson
Last updated: Apr 29, 2014 by Barry Leibson
2 min read

Using HTTPS For Those Clients that Accept Passwords

If another system, such as CAS or Shibboleth, handles your passwords, then you should be all set.  However, if you use Bedework's directory server or your organization's LDAP servers, you need to secure your Bedework logins with https.   If you are fronting JBoss with Apache , then Apache can handle this.  

If your users are accessing JBoss directly:

  1. Configure JBoss to use your SSL Certificate by editing <quickstart>/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/server.xml

  2. Edit bedework.properties in your Bedework configuration directory.   Look for lines that end in transport.guarantee=NONE.  There are several, one for each client that requires a login.  For any that you are using, change the value NONE to CONFIDENTIAL.

  3. Rebuild Bedework.

Securing JBoss's JMX Console

The jmx-console security domain is defined in:<quickstart>/jboss-5.1.0.GA/server/default/conf/login-config.xml.

Credentials are read from:jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties.  Change the password in this file to something more secure than the default.

If you change the login id (e.g. from  admin  to someotherid), change or add someotherid to jboss-5.1.0.GA/server/default/conf/props/jmx-console-roles.properties.

Securing the ApacheDS LDAP Server Shipped with the Quickstart 

If you choose to use the LDAP server shipped with the quickstart to maintain user accounts, you should 1) change the admin password and 2) remove user accounts you don't need (or change their passwords).  If you intend to use your own enterprise directory server, you can safely ignore this section.

Change the admin password using the JMX-Console

  1. sign into the jmx-console (e.g. http://localhost:8080/jmx-console/ )
  2. click org.bedework.selfreg in the left-most menu
  3. click Name=selfreg,Type=selfreg,service=Selfreg
  4. you should see the following form in the table of Operations:
  5. enter the account "admin", select a new password, and click "Invoke"

You can use this approach to change any account password in Apache DS.

Remove user accounts you don't need (or change their passwords)

ApacheDS is pre-loaded with a handful of demo users in addition to admin.   These include:  bfranklin, vbede, mtwain, and ggalelei.   To remove them, use the "removeUser" operation on the same jmx-console page as "setUserPassword"

 

If you plan on removing the admin account, be sure to set another user as superuser using the Bedework Administrative web client before you do (or you'll have to add the admin account back to LDAP).  (Look in the Admin Client under System --> Manage System Preferences.)  If you're unsure, keep the admin account and change the password, as described above.  See also: Setting up authentication

Bedework Enterprise Calendar Server, version 3.10