Securing Bedework

Owned by Barry Leibson
Last updated: Jun 21, 2013 by Arlen JohnsonVersion comment
3 min read

Using HTTPS For Those Clients that Accept Passwords

If another system, such as CAS or Shibboleth, handles your passwords, then you should be all set.  However, if you use Bedework's directory server or your organization's LDAP servers, you need to secure your Bedework logins with https.   If you are fronting JBoss with Apache , then Apache can handle this.  

If your users are accessing JBoss directly:

  1. Configure JBoss to use your SSL Certificate by editing <quickstart>/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/server.xml

  2. Edit bedework.properties in your Bedework configuration directory.   Look for lines that end in transport.guarantee=NONE.  There are several, one for each client that requires a login.  For any that you are using, change the value NONE to CONFIDENTIAL.

  3. Rebuild Bedework.

Securing JBoss's JMX Console

The jmx-console security domain is defined in:<quickstart>/jboss-5.1.0.GA/server/default/conf/login-config.xml.

Credentials are read from:jboss-5.1.0.GA/server/default/conf/props/jmx-console-users.properties.  Change the password in this file to something more secure than the default.

If you change the login id (e.g. from  admin  to someotherid), change or add someotherid to jboss-5.1.0.GA/server/default/conf/props/jmx-console-roles.properties.

Securing JBoss's Web Console

Securing the web console is the same as securing the JMX Console.  At its simplest, modify the password injboss-5.1.0.GA/server/default/conf/props/jbossws-users.properties
(and likewise, if you change the userid, add the role to jbossws-roles.properties).

Securing the Apache DS LDAP Server Shipped with the Quickstart 

If you choose to use the LDAP server shipped with the quickstart to maintain user accounts, you should 1) change the admin password and 2) remove user accounts you don't need (or change their passwords).  If you intend to use your own enterprise directory server, you can safely ignore this section.

Change the admin password using the JMX-Console

  1. sign into the jmx-console (e.g. http://localhost:8080/jmx-console/ )
  2. click "org.bedework" in the left-most menu
  3. click service=Selfreg
  4. you should see the following form in the table of Operations:
  5. enter the account "admin", select a new password, and click "Invoke"

You can use this approach to change any account password in Apache DS.

Change the admin password using an LDAP client

Use an LDAP client (for example, LDAP Admin) and sign in using the following settings (password = "secret"):

PASSWORD = secret

Once connected, select the admin account, and set the password on the account using the client.  For example, if you are using the LDAP Admin client, open up ou=accounts, right-click on uid=admin, and select "Change Password".  You'll see something like this:

Remove user accounts you don't need (or change their passwords)

In the screenshot above, you'll find many default accounts shipped with Bedework: uid=bfranklin, uid=vbede, etc.  Prior to production, you should remove these accounts or change their passwords.  (For example, in the client above, you can right-click on uid=testuser02 and select "delete").  NOTE: it is not yet possible to remove accounts using the JMX-Console. If you don't wish to connect using an LDAP client to remove the default accounts, you can use the JMX-Console to simply change their passwords.

If you plan on removing the admin account, be sure to set another user as superuser using the Bedework Administrative web client before you do (or you'll have to add the admin account back to LDAP).  (Look in the Admin Client under System --> Manage System Preferences.)  If you're unsure, keep the admin account and change the password, as described above.  See also: Setting up authentication

Bedework Enterprise Calendar, version 3.9