Securing Bedework

Using HTTPS For Those Clients that Accept Passwords

If another system, such as CAS or Shibboleth, handles your passwords, then you should be all set.  However, if you use Bedework's directory server or your organization's LDAP servers, you need to secure your Bedework logins with https.   If you are fronting JBoss with Apache, then Apache can handle this.  

If your users are accessing JBoss directly:

1. Configure JBoss to use your SSL Certificate by editing <quickstart>/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/server.xml
   
   
2. Edit bedework.properties in your Bedework configuration directory.   Look for lines that end in transport.guarantee=NONE.  There are several, one for each client that requires a login.  For any that you are using, change the value NONE to CONFIDENTIAL.
   
   
3. Rebuild Bedework.

Securing JBoss's JMX Console

The jmx-console security domain is defined in:<quickstart>/jboss-5.1.0.GA/server/default/conf/login-config.xml.

Credentials are read from:jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties.  Change the password in this file to something more secure than the default.

If you change the login id (e.g. from  admin  to someotherid), change or add someotherid to jboss-5.1.0.GA/server/default/conf/props/jmx-console-roles.properties.

Securing JBoss's Web Console

Securing the web console is the same as securing the JMX Console.  At its simplest, modify the password injboss-5.1.0.GA/server/default/conf/props/jbossws-users.properties
(and likewise, if you change the userid, add the role to jbossws-roles.properties).