Versions Compared

Old Version 97

changes.mady.by.user Unknown User (hcunico@gmail.com)

Saved on

compared with

New Version Current

changes.mady.by.user Hernan Cunico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Anchor
top
top
Article donated by: Hernan Cunico
This article is an attempt to cover as many administrative tasks as possible, common and not so common tasks. This article is grouped in four main sections having a similar flow to what you would find while using the Geronimo Administration Console, this way should be easier for you to familiarize on both tasks and console.

...

If the server is already running you have the option of using the Geronimo Administration Console to shutdown the server remotely. With the server up and running open a Web browser and point to the following URL to access the console:

http://localhost:8080/consoleImage Removed

Log in to the Geronimo Administration Console and click on Shutdown on the Console Navigation menul on the left.

...

  • Request:
    Lets you specify the Request Method from and the Requested URI. You can select the Requested Method from a drop-down menu, the possible values are ANY, POST and GET. To filter by Requested URI just enter a URI, for example http://localhost:8080/console/login.jspImage Removed.

Back to Top

...

You should now see the database pool you just imported listed in the database pool portlet.

Image RemovedImage Added

Removing database pools

...

If you want to run any SQL command on this database make sure you select test from the Use DB: pull-down menu, enter the SQL command and then click on the Run SQL button. The results of the command will be displayed near the bottom of the protlet.

Configuring JMS

Connection factories, queues, topics and destinations.

To configure JMS, the JMS Connection Factories and JMS Destination Manager portlets are avaiable by selecting JMS on the Console Navigation menu on the left hand side. The JMS Connection Factories portlet illustrated in the following figure displays all the JMS connectors that are configured in the Geronimo server and allows you to add a new JMS Connection Factory.

Image Removed

The JMS Destination Manager portlet lists all the queues and topics that are configured in the Geronimo server.

Image Added

In Apache Geronimo v1.0 these portlet are not totally implemented and you will need to create deployment plans and command line tools to deploy these configurations. Additional details for configuring JMS and Further details on JMS integration are covered in the Integrating A Third Party JMS Provider section.

...

Our taget now is "+ HelloWorld @ http://hcunico:8080/helloImage Removed " , this module's status is started since there is a + on the left. Alternatively, you can run the following command to list just the started modules:

...

Before we move on, it is recommended for you to become familiar with the Geronimo security architecture and concepts. Visit the Security section for details on how security is implemented in Geronimo. The two main Concepts Security concepts on which the Apache Geronimo security architecture is built on are Login Domain and Security Realm, in this section we will focus on the later.

To administer security realms via the Geronimo Administration Console the Security Realms portlet is available on the Console Navigation menu on the left hand side. This portlet allows you to add a new security realm or edit an existing one. To remove realms you would normally use the command line option with the Deployer tool.

Listed in this portlet you will find all the available security realms. By default, the security realm used by Geronimo to authenticate users via properties file is geronimo-properties-realm.

...

For this example we created a new database called SecurityDatabase using the built-in Derby database. The following steps summarize the procedure followed to create the database and tables, load some sample data and create the connection pool. Detailed instructions on how to define database connection pools are described in the #Configuring database pools section.

Create database and load sample data

  • In the Console Navigation menu on the left click on Database Manager.
  • Enter SecurityDatabase in the Create DB: field and click Create.
  • Select the SecurityDatabase database from the Use DB: pull-down menu, enter the following SQL command commands and click Run SQL.
    create table users
    (username varchar(15),
    password varchar(15));
    create table groups
    (username varchar(15),
    groupname varchar(15));
    Select the SecurityDatabase database from the Use DB: pull-down menu, enter the following SQL command and click Run SQL.
    insert into users values('insert into users values('userone','p1');
    insert into users values('usertwo','p2');
    insert into users values('userthree','p3');
    insert into groups values('userone','admin');
    insert into groups values('usertwo','admin');
    insert into groups values('userthree','user');

...

  • In the Console Navigation menu on the left click on Database Pools.
  • Click on Using the Geronimo database pool wizard.
  • Enter SecurityDatabase as the database pool name. Select Derby embedded from the database pool type pull-down menu and click Next.
  • Verify the JDBC driver class is org.apache.derby.jdbc.EmbeddedDriver.
  • From the Driver Jar pull-down menu select org.apache.derby/derby/10.1.1.0/jar.
  • Enter userone and p1 as Leave blank the connection user name and password.
  • Enter SecurityDatabase as the database name and click Next.
  • Click Test Connection.
  • Click Deploy.

...

To create a new security realm click on Add new security realm from the Security Realms portlet.

Enter new-geronimo-derby_security_realm in the Name of Security Realm: field and select Database (SQL) Realm from the Realm type: pull-down menu and click Next.

The following screen configures the login module. The first two field you need to fill will potentially vary from one database type to another. In this case we are using the embedded Derby database so the User and Group select SQL should read as follows:

User SELECT SQL: select username, password from APP.users where username=?
Group SELECT SQL: select username, groupname from APP.groups where username=?

Security realm for using with database authentication.

Note that APP is the default schema for the embedded Derby database and it needs to precede the table in the SQL statement. These statements are likely to be different from one database to another, for instance this procedure was also tested with DB2, the SQL statements used were:

User SELECT SQL: select username, password from users where username=?
Group SELECT SQL: select username, groupname from groups where username=?

Once you entered the SQL statements for retrieving users and groups you need to select from the Database Pool pull-down menu the database connection pool you created in the previous step ( #Create connection pool) and click Next.

The remaining fields are no necessary to fill since that information is already provided by the database conneciton pool. If you are not using predefined database connection pools you will need to fill-in all the fields.

Image Added

The following step will allow you to enable auditing for monitoring the login attempts via this realm. In this step you can also configure the account lockout based on the number of failed loging attempts withing a specified timeframe. The last option in this step, Store Password, when enabled will allow the realm to store the user password in a private credential in the subject.

Image Added

At this point you have configured this new security realm, the next step i to test it and then deploy it. Click on Test a Login.

Enter a valid user name and password to be retrieved from the database and click Next.

Image Added

You should receive a confirmation message that the login succeded, click on Deploy Realm to load this configuration to the server.

Image Added

Now you have a new, fully configured, security realm that retrieves user names and passwords from the build in Derby database.

The followig example shows the deployment plan for this security realm. As an alternative to the Geronimo Administration Console, you can save this example to a file (i.e. derby_security_realm.xml) and deploy it with the Deployer tool by running the following command:

<geronimo_home>\bin\deploy --user system --password manager deploy <realm_path>\derby_security_realm.xml

Code Block
xml
xml
borderStylesolid
titlederby_security_realm

<configuration configId="SecurityRealm-derby_security_realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
    <import>
Code Block
xmlxml
borderStylesolid

<configuration configId="SecurityRealm-db2_security_realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
    <import>
        <uri>user/database-pool-DB2_Test/1/car</uri>
    </import>
    <gbean name="db2_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">db2_security_realm</attribute>
        <reference name="ServerInfo">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,
	                j2eeType=GBean,name=ServerInfo</gbean-name>
   <uri>user/database-pool-SecurityDatabase/1/car</uri>
     </reference>import>
    <gbean    <reference name="LoginServicename="derby_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">derby_security_realm</attribute>
        <reference name="ServerInfo">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-securitysystem/1.0/car,J2EEServer=geronimo,
	                j2eeType=JaasLoginServiceGBean,name=JaasLoginService<ServerInfo</gbean-name>
        </reference>
        <xml-reference<reference name="LoginModuleConfigurationLoginService">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,
	                <log:login-module control-flag="j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
                <log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
                    <log:login-domain-name>db2name>derby_security_realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
                    <log:option name="userSelect">select username, password from APP.users where username=?</log:option>
                    <log:option name="dataSourceApplication">null</log:option>
                    <log:option name="groupSelect">select username, groupname from APP.groups where username=?</log:option>
                    <log:option name="dataSourceName">SecurityDatabase</log:option>
                </log:login-module>
                <log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false">
                    <log:login-domain-name>db2name>derby_security_realm-Audit</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    <log:option name="file">var/log/login-attemptsderby_security_realm.log</log:option>
                </log:login-module>
            <    <log:login-module control-flag="REQUISITE" server-side="true" wrap-principals="false">
                    <log:login-domain-name>derby_security_realm-Lockout</log:login-config>domain-name>
        </xml-reference>            <log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
    </gbean>
</configuration>

Back to Top

...

                <log:option name="lockoutDurationSecs">60</log:option>
                    <log:option name="failurePeriodSecs">10</log:option>
                    <log:option name="failureCount">3</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</configuration>

Testing the security realm

If you want to quickly test this realm you can use the LDAP sample application covered in the Configuring LDAP section. You will just need to change the deployment descriptor geronimo-web.xml to the one shown in the following example, repackage the application and deploy it.

Note that we only changed from the original plan the realm name from ldap-realm to derby_security_realm.

Code Block
xml
xml
borderStylesolid
titlegeronimo-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app
    xmlns="http://geronimo.apache.org/xml/ns/web"
    xmlns:sec="http://geronimo.apache.org/xml/ns/security"
    configId="org/apache/geronimo/ldap-secure-demo">
    <context-root>/ldap-demo</context-root>
    <context-priority-classloader>false</context-priority-classloader>
<!--    <security-realm-name>ldap-realm</security-realm-name> -->
	<security-realm-name>derby_security_realm</security-realm-name>
    <security>
        <default-principal realm-name="derby_security_realm">
            <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
        </default-principal>
        <role-mappings>
            <role role-name="content-administrator">
                <realm realm-name="derby_security_realm">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
                </realm>
            </role>
            <role role-name="guest">
                <realm realm-name="derby_security_realm">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user2"/>
                </realm>
            </role>
        </role-mappings>
    </security>
</web-app>

Follow the instructions in the Configuring LDAP section to repackage and deploy the application. When you test it, this time you will using the database SQL realm. Give it a try a few times, you should see the successful login attempts recorded in the log file you specified when created this security realm (in this example var\log\derby_security_realm.log)

No Format
borderStylesolid
titlederby_security_realm.log

03/01/2006 15:56:33 - Authentication attempt - userone
03/01/2006 15:56:33 - Authentication succeeded - userone
03/01/2006 16:10:05 - Authentication attempt - usertwo
03/01/2006 16:10:05 - Authentication succeeded - usertwo

Back to Top

Administering certificates

To administer SSL certificates the Keystore Configuration portlet in available by selecting Keystore on the Console Navigation menu on the left hand side. From this portlet you can either import an existing certificate or create a new certificate request.

Image Added

The certificates in Geronimo are stored in a keystore located in <geronimo_home>\var\security\ssl-keystore-1. This ssl keystore file does not exist until you create the first private key.

If you already have a certificate you can click on import trusted certificate.

Image Added

Specify the location of the certificate file and click View Certificate. The certificate information will be displayed, you may add an alias to identify this certificate, when done click on Import to add that certificate to the keystore. You should now see that the keystore size has increased.

To generate a key click on generate key pair. In the following screen enter the relevant information and click on Submit. For this example we entered the following values:

Alias:

Geronimo Server

Key Algorithm:

RSA

Key Size:

1024

Signature Algorithm:

MD5withRSA

Validity:

2000

Common Name (CN):

127.0.0.1

Organizational Unit (OU):

Geronimo

Organizational Name (O):

Apache

Locality (L):

Locality

State (ST):

State

Country (C):

Country

You should now see that the keystore size has increased and the private key you just created is listed near the bottom of the Keystore Configuration portlet. Click on view next to the private key you created, you should see the details of this key pair and the options to generate a certificate request and to import a certificate reply from a certification authority (CA).

Image Added

To generate a certificate request to send to a CA click on generate CSR, copy the content generated and send it to the CA (you would normally receive the instructions from the CA on how to send this CSR).

Image Added

Once you receive the reply from the CA you will likely receive a certificate file, to add this certificate to the keystore follow the steps to import trusted certificate.

Using the certificates

Warning

There is currently a known issue using the certificates to secure new HTTPS listeners, there is a patch alredady available and it should be applied to the next release of Apache Geronimo, see JIRA GERONIMO-1503 for details.

To use your own certificates instead of the one provided by default with the installation you need to create a new HTTPS listener. Use the Network Listener portlet available by selecting Web Server in the Console Navigation menu on the left hand side. The steps for adding a new HTTPS listener were covered earlier in the #Add new HTTPS listener section.

Back to Top