Versions Compared

Old Version 1

changes.mady.by.user Anonymous

Saved on

compared with

New Version 2

changes.mady.by.user Anonymous

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

HTTPS Configuration

To enable HTTPS, add the following to the systemConfig.xml file:

Code Block
xml
xml

<config>
   <web.server>
      <http port="8181"/>
      <https enabled="true" port="8901"/>
   </web.server>
   <security>
      <keystore>fabric3-keystore.jks</keystore>
      <truststore>fabric3-truststore.jks</truststore >
      <keystore.password>password</keystore.password>
      <truststore.password>password</truststore.password>
      <cert.password>password</cert.password>
   </security>
</config>

Keystore and truststore entries are optional. If not supplied, Fabric3 will look for a fabric3-keystore.jks store in the server /config directory. If a keystore is defined but a truststore is not, Fabric3 will default the truststore to the keystore value. Note the keystore value is an absolute file path.

Secure Artifact Provisioning

In a distributed domain, Fabric3 uses HTTP or HTTPS to provision artifacts to runtime instances during deployment. By default HTTP is used. To enable HTTPS it is necessary to configure secure provisioning on the controller and participant runtimes.

The following systemConfig.xml shows how to configure a controller instance to use HTTPS-based provisioning:

Code Block
xml
xml

<config>
   <federation>
      <provision secure="true" address="localhost"/>
   </federation>
   <security>
      <keystore.password>password</keystore.password>
      <cert.password>password</cert.password>
   </security>
   <users>
      <user>
         <username>foo</username>
         <password>bar</password>
         <roles>
            <role>provision.client</role>
         </roles>
      </user>
   </users>
</config>

There are several items to note from the above example:

  • Secure provisioning is enabled through the stanza: <provision secure="true" address="localhost"/>
  • The address attribute on the <provision> element is used to set the provision server address. This must match the address encoded in the SSL certificate. Otherwise, if the addess attribute is not specified, the IP address is used by default.
  • The keystore is configured using the <security> element.
  • A user must be configured with the provision.client role. Participant runtimes will need to authenticate as that user.

Since participant runtimes may provision artifacts to peers, they are configured in a similar way as the controller. The main difference is the username and password attributes on the <provision> element. These are used to authenticate with the controller and must match the values set in the controller configuration:

Code Block
xml
xml

<config>
   <federation>
      <provision secure="true" address="localhost" username="foo" password="bar"/>
   </federation>
   <security>
      <keystore.password>password</keystore.password>
      <cert.password>password</cert.password>
   </security>
   <users>
      <user>
         <username>foo</username>
         <password>bar</password>
         <roles>
            <role>provision.client</role>
         </roles>
      </user>
   </users>
</config>

Secure Clustered Communications

In the Standalone and Tomcat runtimes, Fabric3 uses JGroups as the cluster service provider. To enable secure cluster communications, it is necessary to configure JGroups appropriately. JGroups XML configuration is specified using the <federation>/<config> element in systemConfig.xml:

Code Block
xml
xml

<config>
   <federation>
      <config>
         <!-- JGroups XML configuration -->
      </config>
   </federation>
</config>

Enabling JMX Authentication and Authorization

JMX authentication is enabled by setting the jmx.security attribute on the <runtime> element and adding users in systemConfig.xml:

Code Block
xml
xml

<config>
   <runtime jmx.security='authentication' />
      <users>
         <user>
            <username>foo</username>
            <password>foo</password>
         </user>
      </users>
</config>

If enabled, JMX authentication will require JMX clients to supply a user name and password to gain access to runtime and application MBeans.

JMX security can also be configured for authorization. Authorization is enabled by setting the jmx.security attribute specifying security roles allowed to access MBeans, and a set of users:

Code Block
xml
xml

<config>
   <runtime jmx.security='authorization' jmx.access.roles='ROLE_FABRIC3_ADMIN,ROLE_FABRIC3_OBSERVER'/>
   <users>
       <user>
          <username>foo</username>
          <password>foo</password>
          <roles>
             <role>ROLE_FABRIC3_OBSERVER</role>
          </roles>
       </user>
       <user>
          <username>bar</username>
          <password>bar</password>
          <roles>
             <role>ROLE_FABRIC3_ADMIN</role>
          </roles>
       </user>
   </users>
</config>

For details on enabling MBean authorization, see JMX Component MBeans.