[jboss-dev-forums] [JBoss AS7 Development] - Management API Security Configuration

[Darran Lofthouse]

Darran Lofthouse [http://community.jboss.org/people/dlofthouse] modified the document:

"Management API Security Configuration"

To view the document, visit: http://community.jboss.org/docs/DOC-16494

--------------------------------------------------------------
This document is to list the configuration required to secure the management APIs.  Some of these tasks may be taken care of within other tasks but this is a general overview.

h3. Overall Domain Management Security
Currently no top level element to hold this although should probably be a child of some 'domain-management' element.

h3. Existing Configuration
Currently the domain management configuration is limited to options to specify which management APIs to expose and for nodes where to locate the domain controller.

h4. Standalone Configuration
For standalone servers the following can be defined within the standalone.xml :-

    <management>
       <native-api interface="default" port="9999"/>
       <http-api interface="default" port="9990"/>
    </management>


i.e. At this stage the only configuration is to identify which APIs to expose publicly.

h4. Domain Configuration
For domain deployments the following can be defined in the host.xml :-

    <management>
        <native-api interface="public" port="9999"/>
        <http-api interface="public" port="9990"/>
    </management>


i.e. As before the APIs to expose can be defined on a host by host basis.

The node which has the master domain controller can also have the following: -

    <domain-controller>
        <local/>
    </domain-controller>

This is simple as the sole purpose is to indicate that this node manages the domain locally so does not need to work with any remote domain controller.

If the node will use a remote domain controller it may have the following defined instead: -

    <domain-controller>
        <remote host="127.0.0.1" port="9999"/>
    </domain-controller>


This is defining a connection to the native-api of the node with the master domain controller.

At this stage there is no centralised configuration for domain management.


h3. Future Requirements
h4. Authentication (Internal)
The following document contains some information regarding the requirements for the back end authentication to the existing infrastructure: -
 http://community.jboss.org/docs/DOC-16574 Management API Security Authentication Mechanisms
The following document then shows a couple of starting points to consider how configuration of the authentication could fit within the three descriptors: -
 http://community.jboss.org/docs/DOC-16576 Management API Security Possible Configuration Samples

h4. Host to Domain Controller Communication
I am planning that the hosts are just another type of user when they connect to the domain controller, the following article explorers the options we will support with some initial ideas relating to the configuration.
 http://community.jboss.org/docs/DOC-16579 Management API Security Host to Domain Controller Security


h3. Transport Level Configuration
Two transports will be made available, the current configuration is as: -

    <management>
       <native-api interface="default" port="9999"/>
       <http-api interface="default" port="9990"/>
    </management>

Could this be renamed management-api ?

At the transport level the following options may be required: -

* Authentication mechanism e.g. BASIC / DIGEST / CLIENT-CERT
* SSL Certificates* These are very much host specific as there should be a mapping between the name in the certificate and the hostname used to connect to the management API.


Other than the final certificate selection could this be made generic at the domain level?  i.e. Select username/password or certificate for identification?
Is SSL going to be mandatory for all communication or optional?  If mandatory DIGEST could easily be ommitted.
Kerberos / SPNEGO based authentication at some point in the future?
--------------------------------------------------------------

Comment by going to Community
[http://community.jboss.org/docs/DOC-16494]

Create a new document in JBoss AS7 Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110304/fbbe221b/attachment.html