Monday, June 15, 2015

Authenticate JBoss EAP 6 through Active Directory

The codes shown below represent a portion of the JBoss EAP 6 authentication mechanism in standalone.xml. Notice the user’s authentication details are store in the properties file whenever a user is added through add-user script provided by JBoss. There are 2 properties files, one for user, and one for role.
    <management>
            <security-realms>
                <security-realm name="ManagementRealm">
                    <authentication>
                        <local default-user="$local" skip-group-loading="true"/>
                        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                    </authentication>
                    <authorization map-groups-to-roles="false">
                        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                    </authorization>
                </security-realm>
                ...
                ...
            </security-realms>
            <management-interfaces>
                <native-interface security-realm="ManagementRealm">
                    <socket-binding native="management-native"/>
                </native-interface>
                <http-interface security-realm=" ManagementRealm ">
                    <socket-binding http="management-http"/>
                </http-interface>
            </management-interfaces>
    </management>
My objective is to implement Active Directory (AD) authentication on JBoss, so that it doesn't use the local user (the one that store in the properties file). And the connection established to AD must be secured. First I initiate a connection to AD as defined in <outbound-connections>:
    <management>
        <security-realms>
            ...
        </security-realms>
        <outbound-connections>
            <ldap name="ad" url="ldaps://192.168.1.88:686" search-dn="CN=huahsin,OU=Users, DC=huahsin68,DC=org" search-credential="Abcd1234"/>
        </outbound-connections>
        ...
        ...
    </management>
And then add a new realm, named ADRealm, under the security realm section to search for users. This section is to tells how the searching criteria would be. In my case, I'm using sAMAccountName as the search key, and recursively search starting from Users subtree:
    <security-realms>
        ...
        <security-realm name="ADRealm">
            <authentication>
                <ldap connection="ad" base-dn="OU=Users,DC=huahsin68,DC=org" recursive="true">
                    <username-filter attribute="sAMAccountName"/>
                </ldap>
             </authentication>
        </security-realm>
    <security-realms>
And then I would have to redirect the authentication to use ADRealm rather than ManagementRealm under the <management-interfaces>.
    <management-interfaces>
        <native-interface security-realm="ManagementRealm">
            <socket-binding native="management-native"/>
        </native-interface>
        <http-interface security-realm="ADRealm">
            <socket-binding http="management-http"/>
        </http-interface>
    </management-interfaces>
Now comes to second stage would be to configure SSL so that the JBoss would be able to authentication through a secure channel. Execute the following command to import the certificate into JDK which has been bound to JBoss.

keytool –import –trustkey –file /path/to/adcert.cer –alias ADCert –keystore C:\Tool\jdk1.7.0_79\jre\lib\security\cacerts

Once done! JBoss will now integrate with AD authentication.

No comments: