-
Bug
-
Resolution: Done
-
Major
-
EAP 5.0.1, EAP Cloud Access Phase 1
-
-
Documentation (Ref Guide, User Guide, etc.)
-
-
Documented as Resolved Issue
The instructions in section 7.3 of the installation guide, "7.3. Post Installation Security Configuration" are not correct.
Two things:
1. "JBoss Messaging makes internal connections between nodes in order to redistribute messages between clustered destinations. These connections are made with the user name of a special reserved user whose password is specified by this parameter suckerPassword in the configuration file:
$JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-jboss-beans.xml
To avoid a security risk, you MUST specify the value of the attribute suckerPassword, otherwise the default value will be used. Knowledge of the default password will allow access to any destination on the server. The following fragment should be modified as indicated:"
When the server is started without changing the suckerPassword first, it throws an error. This error should be mentioned so that it is returned in a search.
So it should probably be reworded as: "JBoss Messaging authenticates within a cluster using a reserved user account whose password is specified in the configuration file: $JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-jboss-beans.xml.
This password is specified as the property suckerPassword. By default it is set to "CHANGEME!!". You must change this default password in order to use clustered messaging. You should give all nodes in a cluster the same suckerPassword, so that they will be able to communicate with each other. If you do not change the suckerPassword you will receive an error "javax.jms.JMSSecurityException: User JBM.SUCKER is NOT authenticated" when starting a server profile with clustering enabled."
^ That needs to be confirmed by an SME, especially the part about changing the password in order to use clustered messaging. The install guide atm implies that it will work, but will be insecure. The error that is thrown when starting the server without changing the password, however, suggests that it may not work at all.
OK, so here's the second issue:
2. Even if you change the suckerPassword as per the directions given, you still get the error. The only way to get rid of the error is to also edit $JBOSS_HOME/server/$CONFIG/deploy/messaging/messaging-service.xml and change the suckerPassword in there too.
It seems to me that the messaging-jboss-beans.xml password is the password that the messaging cluster uses to login; and the messaging-service.xml password is where you set the password that is valid for a login.
If you set them both to the same thing, the server will start without an error.
So it seems that our chosen method of addressing the inherent insecurity of default clustering is to set the JBoss Messaging cluster client password to "CHANGEME!!" and the service password to "admin"; so that they don't match, and by default the JBoss messaging cluster will be unable to authenticate.
- is related to
-
JBPAPP-4453 Installer: User JBM.SUCKER is NOT authenticated Error
- Closed