[jboss-cvs] JBossAS SVN: r82244 - projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Dec 12 09:10:12 EST 2008
Author: Darrin
Date: 2008-12-12 09:10:12 -0500 (Fri, 12 Dec 2008)
New Revision: 82244
Modified:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
Log:
updates
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-12 12:33:24 UTC (rev 82243)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-12 14:10:12 UTC (rev 82244)
@@ -218,15 +218,26 @@
<listitem>
<para>Disable AJP from JBoss Web.</para>
<para>Comment out the following section from
- <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/server.xml</filename> as shown.
- <programlisting language="xml"><!-- <Connector port="8009" address="${jboss.bind.address}"
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/server.xml</filename>:
+ <programlisting language="xml"><Connector port="8009" address="${jboss.bind.address}"
protocol="AJP/1.3" emptySessionPath="true"
-enableLookups="false" redirectPort="8443" /> --></programlisting></para>
+enableLookups="false" redirectPort="8443" /></programlisting></para>
</listitem>
<listitem>
<para>Disable Clustering High-Availability JNDI service (port 1102)</para>
- <para>Delete the file <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/ha-jndi-jms-ds.xml</filename></para>
+ <para>Delete the file <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/hajndi-jms-ds.xml</filename></para>
+
+ <para>From the file <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/clustering-service.xml</filename> comment out the following MBean definitions:</para>
+
+<programlisting language="xml"><mbean code="org.jboss.ha.jndi.HANamingService"
+ name="jboss:service=HAJNDI"></programlisting>
+<programlisting language="xml"><mbean code="org.jboss.invocation.unified.server.UnifiedInvokerHA"
+ name="jboss:service=invoker,type=unifiedha"></programlisting>
+<programlisting language="xml"><mbean code="org.jboss.invocation.pooled.server.PooledInvokerHA"
+ name="jboss:service=invoker,type=pooledha"></programlisting>
+<programlisting language="xml"><mbean code="org.jboss.cache.invalidation.bridges.JGCacheInvalidationBridge"
+ name="jboss.cache:service=InvalidationBridge,type=JavaGroups"></programlisting>
</listitem>
<listitem><para>Use password hashing and do not store plain text passwords on the server.</para>
@@ -248,7 +259,7 @@
your server and application performance before enabling this level of logging
on a production server.</para></important>
- <para>You enable this level of logging by making the following changes to <filename>jboss-log4.xml</filename>:</para>
+ <para>You enable this level of logging by making the following changes to <filename>${JBOSS_HOME}/server/production/conf/jboss-log4.xml</filename>:</para>
<orderedlist>
<listitem>
<para>Set the logging level of the <classname>SecurityInterceptor</classname> class
@@ -258,10 +269,11 @@
</category></programlisting>
</listitem>
<listitem>
- <para>Update the ConversionPattern parameter in the appender/layout element
- to show thread information</para>
- <programlisting language="xml"><param name="ConversionPattern"
- value="%d %-5r %-5p [%c] (%t:%x) %m%n" /></programlisting>
+ <para>Update the ConversionPattern parameter in the appender/layout element
+ to show thread information by replacing the Default Pattern with the
+ Full Pattern:</para>
+<programlisting language="xml"><!-- The full pattern: Date MS Priority [Category] (Thread:NDC) Message -->
+<param name="ConversionPattern" value="%d %-5r %-5p [%c] (%t:%x) %m%n"/></programlisting>
</listitem>
</orderedlist>
@@ -326,7 +338,7 @@
<section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Securing_MBean_Invokers">
<title>Securing MBean Invokers</title>
<para>
- The <filename>http-invoker.sar</filename> found in the deploy directory is a service
+ The <filename>httpa-invoker.sar</filename> found in the deploy directory is a service
that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a
servlet that processes posts of <classname>marshaled org.jboss.invocation.Invocation</classname>
objects that represent invocations that should be dispatched onto the MBeanServer.
@@ -334,11 +346,11 @@
via HTTP when sending appropriately formatted HTTP posts. This servlet has to be
protected against the use by unprivileged users. To secure this access point you would
need to secure the JMXInvokerServlet servlet found in the
- <filename>http-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor.
+ <filename>httpa-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor.
</para>
<para>
- The <filename>jmx-invoker-adaptor-server.sar</filename> is a service that exposes the
+ The <filename>jmx-invoker-service.xml</filename> is a service that exposes the
JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached
invoker service. This interface has to be made unavailable to unprivileged users which
can be done by using the <classname>org.jboss.jmx.connector.invoker.AuthenticationInterceptor</classname>
@@ -357,7 +369,7 @@
for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
<filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/META-INF/jboss-service.xml</filename>. </para>
- <para>Additionally, the <parameter>AllRolesMode</parameter> within
+ <para>Additionally, the <parameter>allRolesMode</parameter> within
<filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/server.xml</filename>
must be set to <literal>strict</literal>. This requires the authenticated user to be
assigned to one of the <filename>web-app/security-role/role-name</filename> in order
@@ -453,7 +465,7 @@
<para>
The supplied Java Security Manager policy file that is included with
- JBoss EAP must must be modified as specified below. The policy file
+ JBoss EAP must be modified as specified below. The policy file
that must be edited is <filename><replaceable>${JBOSS_HOME}</replaceable>/bin/security_cc.policy</filename>.
The copy of the complete modified policy file can be found in
<xref linkend="appe-security_policy" />.
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-12-12 12:33:24 UTC (rev 82243)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-12-12 14:10:12 UTC (rev 82244)
@@ -88,20 +88,20 @@
<para>The JBoss Application server generates log events at start-up time and when it is shutdown:</para>
<example><title>JBoss EAP start up log events</title>
<screen>00:30:18,876 INFO [Server] Starting JBoss (MX MicroKernel)...
-00:30:18,876 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA_CP01 (build: SVNTag=JBPAPP_4_3_0_GA_CP01 date=200804211657)
+300:30:18,876 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA_CP03 (build: SVNTag=JBPAPP_4_3_0_GA_CP03 date=200804211657)
00:30:18,877 DEBUG [Server] Using config: org.jboss.system.server.ServerConfigImpl at 46ae506e
00:30:18,877 DEBUG [Server] Server type: class org.jboss.system.server.ServerImpl
00:30:18,877 DEBUG [Server] Server loaded through: org.jboss.system.server.NoAnnotationURLClassLoader
00:30:18,877 DEBUG [Server] Boot URLs: </screen></example>
<example><title>JBoss EAP shutdown log events</title>
-<screen>2008-06-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroying jboss.system:service=MainDeployer
-2008-06-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroyed jboss.system:service=MainDeployer
-2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing service: jboss.system:service=MainDeployer
-2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing jboss.system:service=MainDeployer from server
-2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] Stopped 3 services
-2008-06-12 00:32:16,460 DEBUG [org.jboss.system.server.Server] Deleting server tmp/deploy directory
-2008-06-12 00:32:16,463 INFO [org.jboss.system.server.Server] Shutdown complete</screen></example>
+<screen>2008-12-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroying jboss.system:service=MainDeployer
+2008-12-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroyed jboss.system:service=MainDeployer
+2008-12-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing service: jboss.system:service=MainDeployer
+2008-12-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing jboss.system:service=MainDeployer from server
+2008-12-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] Stopped 3 services
+2008-12-12 00:32:16,460 DEBUG [org.jboss.system.server.Server] Deleting server tmp/deploy directory
+2008-12-12 00:32:16,463 INFO [org.jboss.system.server.Server] Shutdown complete</screen></example>
<para>The audit facility is based on the integrated <package>log4j</package>
mechanism. <package>Log4j</package> has three main components: loggers,
More information about the jboss-cvs-commits
mailing list