[jboss-user] JBoss secure deployment guides? notes you care to share? :)

[katsumi liquer]

Hello everyone,

I apologize if any of these questions are duplicates or answered elsewhere
-- I have looked through the archives but not been able to find exactly what
I am looking for.

What I am trying to find is list a list of steps from a RHEL administrator's
point of view to transition a wide-open JBoss server which is being used in
a development environment to a secure server being used in production
deployment.

The things I am most concerned with are to disable the JBoss main homepage,
disable any debug information, disable access to any web apps which we have
not explicitly granted access to, etc. I have found documentations for some
parts, such as removing the jmx console, but I was curious if anyone had a
collection of of steps they commonly use to put JBoss into a secure mode.

I am working on using mod_jk to go in front of tomcat for basic URL
filtering and such, but even still it is not clear from the mod_jk
documentation the optimal way to do this when security is the goal.

Again, I apologize if this is a really weak question, I just want to rule
out the obvious before I dig deeper into all the configs on my own. I have
poured through everything in the JBoss Security wiki, but a lot of that is
from the code level and development perspective; what I am seeking is
basically a straight up RHEL JBoss hardening guide, or the closest possible
analog.

Thank you very much,

katsu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20080409/84709f63/attachment.html