AD248 - ch09s04

Preface A: Introduction

Section A.1: Red Hat JBoss Enterprise Application Platform Administration I

Section A.2: Orientation to the Classroom Environment

Chapter 1: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.1: Exploring the Architecture of JBoss EAP

Section 1.2: Quiz: Use Cases for Standalone Server versus Managed Domain

Section 1.3: Installing JBoss EAP

Section 1.4: Guided Exercise: Installing JBoss EAP

Section 1.5: Interpreting Extensions, Subsystems, and Profiles

Section 1.6: Quiz: Profile Selection

Section 1.7: Managing JBoss EAP

Section 1.8: Guided Exercise: JBoss EAP Management Console

Section 1.9: Lab: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.10: Summary

Chapter 2: Configuring JBoss EAP as a Standalone Server

Section 2.1: Running JBoss EAP Standalone Server

Section 2.2: Guided Exercise: Creating a Standalone Server

Section 2.3: Configuring JBoss EAP as a Standalone Server

Section 2.4: Quiz: Configuring Profiles

Section 2.5: Configuring Interfaces and Socket Binding Groups

Section 2.6: Quiz: Configuring Interfaces and Socket Binding Groups

Section 2.7: Lab: Configuring JBoss EAP in Standalone Mode

Section 2.8: Summary

Chapter 3: Scripting Configuration and Deploying Applications

Section 3.1: Configuring JBoss EAP by Using the Management Command Line Interface

Section 3.2: Guided Exercise: Exploring the Management CLI Tool

Section 3.3: Deploying Applications to a Standalone Server

Section 3.4: Guided Exercise: Deploying Applications with Management Tools

Section 3.5: Lab: Scripting Configuration and Deploying Applications

Section 3.6: Summary

Chapter 4: Configuring JBoss EAP as a Managed Domain

Section 4.1: Running JBoss EAP as a Managed Domain

Section 4.2: Quiz: Managed Domains

Section 4.3: Assigning a Domain Controller

Section 4.4: Guided Exercise: Assigning a Domain Controller

Section 4.5: Configuring a Host Controller

Section 4.6: Guided Exercise: Configuring Host Controllers

Section 4.7: Configuring a Domain Controller

Section 4.8: Quiz: Configuring a Domain Controller

Section 4.9: Lab: Configuring JBoss EAP as a Managed Domain

Section 4.10: Summary

Chapter 5: Configuring Servers in a Managed Domain

Section 5.1: Managed Domain Server Architecture

Section 5.2: Quiz: Hosts and Servers

Section 5.3: Configuring Server Groups

Section 5.4: Guided Exercise: Configuring Server Groups

Section 5.5: Configuring Servers

Section 5.6: Guided Exercise: Configuring Servers

Section 5.7: Deploying Applications on a Managed Domain

Section 5.8: Guided Exercise: Deployment on a Managed Domain

Section 5.9: Lab: Configuring Servers in a Managed Domain

Section 5.10: Summary

Chapter 6: Configuring Data Sources

Section 6.1: Exploring the Data Source Subsystem

Section 6.2: Quiz: Data Sources

Section 6.3: Configuring JDBC Drivers

Section 6.4: Guided Exercise: Configuring JDBC Drivers

Section 6.5: Configuring Datasources

Section 6.6: Guided Exercise: Configuring a Data Source

Section 6.7: Configuring an XA Data Source

Section 6.8: Guided Exercise: Configuring an XA Datasource

Section 6.9: Lab: Configuring Data Sources

Section 6.10: Summary

Chapter 7: Configuring the Logging Subsystem

Section 7.1: Configuring Logging Handlers

Section 7.2: Guided Exercise: Configuring Logging Handlers

Section 7.3: Configuring Loggers

Section 7.4: Guided Exercise: Controlling Logging Levels

Section 7.5: Lab: Configuring the Logging Subsystem

Section 7.6: Summary

Chapter 8: Configuring the Messaging Subsystem

Section 8.1: Exploring the Messaging Subsystem

Section 8.2: Quiz: The Messaging Subsystem

Section 8.3: Configuring Messaging Resources

Section 8.4: Guided Exercise: Configuring Messaging Resources

Section 8.5: Configure Journals and Other Settings

Section 8.6: Guided Exercise: Configuring the Journals and Other Settings

Section 8.7: Lab: Configuring the Messaging Subsystem

Section 8.8: Summary

Chapter 9: Securing JBoss EAP

Section 9.1: Configuring a Database Security Domain

Section 9.2: Guided Exercise: Securing an Application

Section 9.3: Configuring an LDAP Security Domain

SectionSection 9.4: Guided Exercise: Configuring the LDAP Login Module

Section 9.5: Securing a JMS Destination

Section 9.6: Quiz: Securing a JMS Destination

Section 9.7: Configuring the Password Vault

Section 9.8: Guided Exercise: Encrypting a Password

Section 9.9: Lab: Securing JBoss EAP

Section 9.10: Summary

Chapter 10: Configuring the Java Virtual Machine

Section 10.1: Configuring the JVM in a Standalone Server

Section 10.2: Quiz: Configuring the JVM in a Standalone Server

Section 10.3: Configuring the JVM in a Managed Domain

Section 10.4: Guided Exercise: Configuring Java Virtual Machines

Section 10.5: Lab: Configuring the Java Virtual Machine

Section 10.6: Summary

Chapter 11: Configuring the Web Subsystem

Section 11.1: Exploring the Features of the Web Subsystem

Section 11.2: Quiz: Features of Web Subsystem

Section 11.3: Configuring the Web Subsystem

Section 11.4: Guided Exercise: Securing HTTP Connections

Section 11.5: Lab: Configuring the Web Subsystem

Section 11.6: Summary

Chapter 12: Deploying Clustered Applications

Section 12.1: Exploring Clustered Applications

Section 12.2: Quiz: Exploring Clustered Applications

Section 12.3: Configuring Subsystems that Support Clustered Applications

Section 12.4: Guided Exercise: Configuring JGroups for a Clustered Web Application

Section 12.5: Configuring Load Balancer

Section 12.6: Guided Exercise: Configuring Load Balancing

Section 12.7: Deploying HA Singleton Applications

Section 12.8: Quiz: Deploying an HA Singleton Applications

Section 12.9: Lab: Deploying Clustered Applications

Section 12.10: Summary

Chapter 13: Comprehensive Review

Section 13.1: Comprehensive Review

Section 13.2: Lab: Comprehensive Review of Red Hat JBoss Application Administration I

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13

Guided Exercise: Configuring the LDAP Login Module

Use an LDAP security scheme to secure an application.

Resources
Files:	`/home/student/AD248/labs/security-ldaprealm`
Application URL:	http://127.0.0.1:8080/guessLDAP

Outcomes

You should be able to enable authentication in an application using a LDAP login module.

Before beginning the guided exercise, run the following command to prepare the environment:

[student@workstation ~]$ lab start security-ldaprealm

This exercise uses an LDAP server that runs as a container in the workstation machine. You can inspect the LDAP schema in the /home/student/AD248/labs/security-ldaprealm/schema.ldif file.

Instructions

Start the standalone instance of Red Hat JBoss Enterprise Application Platform (JBoss EAP) by running the following command that uses /home/student/AD248/labs/security-ldaprealm/standalone as the base directory:
```
[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./standalone.sh \
-Djboss.server.base.dir=/home/student/AD248/labs/security-ldaprealm/standalone/
```
Review the guessLDAP application security configuration.
The guessLDAP application is already configured to require authentication. Step through the following configuration files to see how it requires authentication.
1. Inspect the application in the /home/student/AD248/labs/security-ldaprealm/guessLDAP directory.
  Explore the /home/student/AD248/labs/security-ldaprealm/guessLDAP/src/main/webapp/WEB-INF/jboss-web.xml file.
```
...output omitted...
<jboss-web>
        <security-domain>ad248_ldap</security-domain>
</jboss-web>
```
The security-domain points to an ad248_ldap security domain used by the application.

Configure the ad248_ldap security domain.

The LDAP server is running in a ldap container on the workstation machine on the 10389 port. In a new terminal window, run the following command to execute an ldapsearch within the LDAP container:

[student@workstation ~]$ podman exec -it ldap \
ldapsearch -x -D "cn=admin,dc=example,dc=com" \
-w redhat123 -b "dc=example,dc=com"
...output omitted...
# Admin, Roles, example.com
dn: cn=Admin,ou=Roles,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: Admin
member: uid=alice,ou=Users,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

Start the management CLI with the following commands:

[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./jboss-cli.sh --connect

Create the ad248_ldap security domain with a default cache type:

[standalone@localhost:9990] /subsystem=security/security-domain\
=ad248_ldap:add(cache-type=default)
{"outcome" => "success"}

Create the authentication child of the security domain:

[standalone@localhost:9990] /subsystem=security/security-domain\
=ad248_ldap/authentication=classic:add
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Note

The output indicates that a server reload is required. You can safely ignore that message, because you reload the server in next steps.

Create an LDAP login module within the new legacy security domain with the following characteristics:

Parameter	Value
`Name`	`LdapExtended`
`Code`	`LdapExtended`
Module option `java.naming.factory.initial`	`com.sun.jndi.ldap.LdapCtxFactory`
Module option `java.naming.provider.url`	`ldap://localhost:10389`
Module option `java.naming.security.authentication`	`simple`
Module option `bindDN`	`cn=admin,dc=example,dc=com`
Module option `bindCredential`	`redhat123`
Module option `baseCtxDN`	`ou=Users,dc=example,dc=com`
Module option `baseFilter`	`(uid={0})`
Module option `rolesCtxDN`	`ou=Roles,dc=example,dc=com`
Module option `roleFilter`	`(member={1})`
Module option `roleAttributeID`	`uid`

Use the following command to create the security domain:

[standalone@localhost:9990] /subsystem=security/security-domain=ad248_ldap\
/authentication=classic/login-module=LdapExtended:add\
(code=LdapExtended, flag=required, module-options=\
[("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"),\
("java.naming.provider.url"=>"ldap://localhost:10389"),\
("java.naming.security.authentication"=>"simple"),\
("bindDN"=>"cn=admin,dc=example,dc=com"),("bindCredential"=>"redhat123"),\
("baseCtxDN"=>"ou=Users,dc=example,dc=com"),\
("baseFilter"=>"(uid={0})"),("rolesCtxDN"=>"ou=Roles,dc=example,dc=com"),\
("roleFilter"=>"(member={1})"), ("roleAttributeID"=>"uid")])
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Enter the following command in the CLI to verify the ad248_ldap security domain settings:

[standalone@localhost:9990] /subsystem=security/security-domain=\
ad248_ldap:read-resource(recursive=true)

{
    "outcome" => "success",
    "result" => {
        "cache-type" => "default",
        "acl" => undefined,
        "audit" => undefined,
        "authentication" => {"classic" => {
            "login-modules" => [{
                "code" => "LdapExtended",
                "flag" => "required",
                "module" => undefined,
                "module-options" => {
                    "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory",
                    "java.naming.provider.url" => "ldap://localhost:10389",
                    "java.naming.security.authentication" => "simple",
                    "bindDN" => "cn=admin,dc=example,dc=com",
                    "bindCredential" => "redhat123",
                    "baseCtxDN" => "ou=Users,dc=example,dc=com",
                    "baseFilter" => "(uid={0})",
                    "rolesCtxDN" => "ou=Roles,dc=example,dc=com",
                    "roleFilter" => "(member={1})",
                    "roleAttributeID" => "uid"
                }
            }],
            "login-module" => {"LdapExtended" => {
                "code" => "LdapExtended",
                "flag" => "required",
                "module" => undefined,
                "module-options" => {
                    "java.naming.factory.initial" => "com.sun.jndi.ldap.LdapCtxFactory",
                    "java.naming.provider.url" => "ldap://localhost:10389",
                    "java.naming.security.authentication" => "simple",
                    "bindDN" => "cn=admin,dc=example,dc=com",
                    "bindCredential" => "redhat123",
                    "baseCtxDN" => "ou=Users,dc=example,dc=com",
                    "baseFilter" => "(uid={0})",
                    "rolesCtxDN" => "ou=Roles,dc=example,dc=com",
                    "roleFilter" => "(member={1})",
                    "roleAttributeID" => "uid"
                }
            }}
        }},
        "authorization" => undefined,
        "identity-trust" => undefined,
        "jsse" => undefined,
        "mapping" => undefined
    },
    "response-headers" => {"process-state" => "reload-required"}
}

Reload the server to allow the changes to take effect.
```
[standalone@localhost:9990] :reload
```

Test the LDAP security domain.
1. Package the guessLDAP application.
  Open a new terminal and enter the following command to create a WAR file:
```
[student@workstation ~]$ cd /home/student/AD248/labs/security-ldaprealm/\
guessLDAP/src/main/webapp
[student@workstation webapp]$ jar -cvf /tmp/guessLDAP.war .
```
2. Use the management console or the management CLI, deploy the /tmp/guessLDAP.war file.
```
[standalone@localhost:9990 /] deploy /tmp/guessLDAP.war
```
3. On the workstation machine, navigate to http://localhost:8080/guessLDAP. You should be prompted to log in if the login module was configured correctly.
4. Use alice as the username and password123 as the password to log in successfully.
  If authentication is successful, then you should see the guessLDAP application.
5. Undeploy the guessLDAP application form the standalone server using the CLI:
```
[standalone@localhost:9990] undeploy guessLDAP.war
```
6. Exit the CLI and stop the running instance of JBoss EAP.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish security-ldaprealm

Discuss Red Hat JBoss Enterprise Application Platform Administration I

Go to community

Welcome to the Red Hat JBoss Application Administration 1 (AD248) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat JBoss Application Administration I! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to AD248.Read more about Red Hat JBoss Application Administration I here.

270

Revision: ad248-7.4-18a9db2