Upgrade mod_ssl version on Solaris 10

November 4, 2010 · Posted in Apache, Solaris · Comments Off on Upgrade mod_ssl version on Solaris 10 

Due to some vulnerabilities in the mod_ssl modules compiled with OpenSSL prior to 0.9.8n I have to upgrade it in my systems.  I have web servers running Apache 2.0.59 and 2.2.15, but there are not mod_ssl.so binaries available to download for this versions, so I decided to compile my own modules.

The first of all is upgrade the OpenSSL, my systems are Solaris 10 with OpenSSL 0.9.7d. In Sunfreeware there are 0.9.8o and 1.0.0a versions but Apache 2.0/2.2 is not compatible with OpenSSL 1.0.0 then we should use 0.9.8o.


# wget ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-0.9.8o-sol10-sparc-local.gz
# gunzip openssl-0.9.8o-sol10-sparc-local.gz
# pkgadd -d openssl-0.9.8o-sol10-sparc-local

Now we have OpenSSL 0.9.8o installed and we need the source of our Apache version (for me it’s 2.0.59 and 2.2.15), you can download it from here, and if you have a modern version here.

Downloading:
# wget http://archive.apache.org/dist/httpd/httpd-2.0.59.tar.gz

Unpacking and configuring:
# gunzip httpd-2.0.59.tar.gz
# cd httpd-2.0.59
# ./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-ssl=shared --enable-ssl --with-ssl=/usr/local/ssl --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http

Where --prefix=/usr/local/apache2 is the apache installation directory and --with-ssl=/usr/local/ssl is the OpenSSL 0.9.8o directory.

Compiling:
# make

Now we already have the mod_ssl.so in httpd-2.0.59/modules/ssl/.libs/mod_ssl.so, copy it to /usr/local/apache2/modules/ (or your installation directory) and restart the apache server.

Enable security using user/pass on jxm-console

April 16, 2010 · Posted in JBoss · Comments Off on Enable security using user/pass on jxm-console 

jmx-console

The jmx-console is a administration tool of JBoss. Through it you can set-up the application, change values and start/stop the JBoss.

One of my servers had a Jboss running but without access control, it was a high security error because anyone in the network can login the console.

To fix this you have to edit the next files:

1. /jboss/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
      <security-domain>java:/jaas/jmx-console</security-domain>
   -->
</jboss-web>

and uncomment

<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
   -->
      <security-domain>java:/jaas/jmx-console</security-domain>
</jboss-web>

2. in /jboss/server/default/deploy/jmx-console.war/WEB-INF/web.xml look for

<!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>
    -->

also uncomment

<!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.
   -->
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

3. Finally, to set the password of ‘admin’ user change in this file.  /jboss/server/default/conf/props/jmx-console-users.properties

admin=admin

for

admin=new_pass