Sunday, June 12, 2011

JDK 6 Update 26 Released

Java Development Kit 6, update 26 has been released.

You can see the release note, bug fixes,a nd security enhancements here:

http://www.oracle.com/technetwork/java/javase/6u26releasenotes-401875.html

You can download from Oracle at:

http://www.oracle.com/technetwork/java/javase/downloads/jdk-6u26-download-400750.html

In my posts, I use the self-extracting bin file.

One simple way to upgrade your JDK is to create a new java home directory (usr/java26 for example), install the new JDK, and then update any environment settings (JAVA_HOME, etc..) as well as any scripts that reference the JAVA_HOME.

Test the new JDK and, once everything looks in order, delete the old.

Thursday, March 17, 2011

Install Apache Geronimo on CentOS

This post will cover installing Geronimo 2 on CentOS, RHEL, or Fedora.

In this post, we'll install the required JDK, Geronimo 2.2.1, create a Geromino start/stop script, and configure Geronimo to run as a service.

Geronimo is available with choice of Tomcat or Jetty. Except for the file names, the installation procedure is identical.

For this installation, we'll use Geronimo 2.2.1, the current, stable release.

To start, we'll install the Java Development Kit (JDK) 1.6

Geronimo 2.2.1 is certified only on Java EE 5 so you can substitute for below, but I have not had any issues with 6.

If you do have the JDK installed, you can skip to: Step 2: Download and Unpack Geronimo 2.2.1:


Step 1: Install JDK 1.6

You can download the JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

We'll install the latest JDK, which is JDK 6 Update 24. The JDK is specific to 32 and 64 bit versions.

My CentOS box is 64 bit, so I'll need: jdk-6u24-linux-x64.bin.

If you are on 32 bit, you'll need: jdk-6u24-linux-i586.bin

Download the appropriate JDK and save it to a directory. I'm saving it to /root.

Move (mv) or copy (cp) the file to the /opt directory:

[root@srv6 ~]# mv jdk-6u24-linux-x64.bin /opt/jdk-6u24-linux-x64.bin  

Create a new directory /usr/java.

[root@srv6 ~]# mkdir /usr/java  

Change to the /usr/java directory we created and install the JDK using 'sh /opt/jdk-6u24-linux-x64.bin'

[root@srv6 ~]# cd /usr/java
[root@srv6 java]# sh /opt/jdk-6u24-linux-x64.bin

Set the JAVA_HOME path. This is where we installed our JDK above.

To set it for your current session, you can issue the following from the CLI:

[root@srv6 java]# JAVA_HOME=/usr/java/jdk1.6.0_24
[root@srv6 java]# export JAVA_HOME
[root@srv6 java]# PATH=$JAVA_HOME/bin:$PATH
[root@srv6 java]# export PATH

To set the JAVA_HOME permanently, we add below to either the ~/.bashrc or ~/.bash_profile of the user (in this case, root).

We can also add it /etc/profile and then source it to give to all users.

JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH

Once you have added the above to ~/.bash_profile or ~/.bashrc, you should log out, then log back in and check that the JAVA_HOME is set correctly.

[root@srv6 ~]#  echo $JAVA_HOME
/usr/java/jdk1.6.0_24


Step 2: Download and Unpack Geronimo 2.2.1

Download geronimo-tomcat6-javaee5-2.2.1 here

If you want to use the embedded Jetty version, download geronimo-jetty7-javaee5-2.2.1 from the same page as above.

Again, the only difference in installation is the file names, so just adjust accordingly.

Save the file to a directory. I'm saving it to /root/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz

Before proceeding, you should verify the MD5 Checksum for your Geronimo download.

Since we saved the Geronimo download to /root/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz, we'll go to the /root directory and use the md5sum command.

[root@srv6 ~]# md5sum geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz
0bb2985421398eb2b4af35ce4eaff974  geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz

Compare the output above to the MD5 Checksum provided by the Geronimo Tomcat MD5 page and insure that they match exactly.


Now, move (mv) or copy (cp) the file to the /usr/share directory:

[root@srv6 ~]# mv geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz /usr/share/geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz

Change to the /usr/share directory and unpack the file using tar -xzf:

[root@srv6 ~]# cd /usr/share
[root@sv2 srv6 ]# tar -xzf geronimo-tomcat6-javaee5-2.2.1-bin.tar.gz  

This will create the directory /usr/share/geronimo-tomcat6-javaee5-2.2.1


Step 3: Configure Geronimo to Run as a Service.

We will now create a simple Start/Stop/Restart script and configure Geronimo to run as a service.

Naviagte to the /etc/init.d directory and create a script called 'geronimo' as shown below.

[root@srv6 share]# cd /etc/init.d
[root@srv6 init.d]# vi geronimo

The script:

#!/bin/bash
# description: Geronimo Start Stop Restart
# processname: geronimo
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
GERONIMO_HOME=/usr/share/geronimo-tomcat6-javaee5-2.2.1

case $1 in
start)
sh $GERONIMO_HOME/bin/startup.sh
;; 
stop)   
sh $GERONIMO_HOME/bin/shutdown.sh
;; 
restart)
sh $GERONIMO_HOME/bin/shutdown.sh
sh $GERONIMO_HOME/bin/startup.sh
;; 
esac    
exit 0

As you can see, we are simply calling the startup.sh and shutdown.sh scripts located in the Geronimo bin directory (/usr/share/geronimo-tomcat6-javaee5-2.2.1/bin).

GERONIMO_HOME is the Geronimo home directory where we unpacked at (/usr/share/geronimo-tomcat6-javaee5-2.2.1)

Now, make the geronimo script executable:

[root@srv6 init.d]# chmod 755 geronimo

Add Geronimo to chkconfig and set to start at boot.

[root@srv6 init.d]# chkconfig --add geronimo
[root@srv6 init.d]# chkconfig --level 234 geronimo on

Verify it:

[root@srv6 init.d]# chkconfig --list geronimo
tomcat          0:off   1:off   2:on    3:on    4:on    5:off   6:off

Now, we can start Geronimo using 'service geronimo start':

Start Geronimo:
[root@srv6 ~]# service geronimo start
Using GERONIMO_HOME:   /usr/share/geronimo-tomcat6-javaee5-2.2.1
Using GERONIMO_TMPDIR: var/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24/jre
Using GERONIMO_OUT:    /usr/share/geronimo-tomcat6-javaee5-2.2.1/var/log/geronimo.out

Geronimo started in background. PID: 5179


You should now be able to navigate to http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Geronimo home page.



Step 4: Access Geronimo Admin Console and Change Password.

To access the Geronimo Admin Console, click the 'Console' link under Administration on the home page or simply navigate to http://yourdomain.com:8080/console or http://yourIPaddress:8080/console.


The default user name and password is system/manager.



Logged in as system:



To change the default password, in the Console Navigation menu, expand the Security node and then click on 'Users and Groups'



Click the Edit link for the user System and update the password.



Step 5 (optional): Modify Script to Pass the System Password Value.


Stopping Geronimo.

Using our script above, when stopping Geronimo using 'service geronimo stop', we will be prompted for the system password:

[root@srv6 init.d]# service geronimo stop
Using GERONIMO_HOME:   /usr/share/geronimo-tomcat6-javaee5-2.2.1
Using GERONIMO_TMPDIR: var/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24/jre
Username: system
Password: *******
Locating server on localhost:1099... Server found.
Server shutdown started
Server shutdown completed

We can modify our script, however, to pass the password to the shell by adding '--user system --password manager' to the shutdown command:


#!/bin/bash
# description: Geronimo Start Stop Restart
# processname: geronimo
# chkconfig: 234 20 80
JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
GERONIMO_HOME=/usr/share/geronimo-tomcat6-javaee5-2.2.1

case $1 in
start)
sh $GERONIMO_HOME/bin/startup.sh
;; 
stop)   
sh $GERONIMO_HOME/bin/shutdown.sh --user system --password manager
;; 
restart)
sh $GERONIMO_HOME/bin/shutdown.sh --user system --password manager
sh $GERONIMO_HOME/bin/startup.sh
;; 
esac    
exit 0


**In the script above, I am using the default system/manager password above, but don't forget to use the new password you created for the system user in the console in Step 4 above.

You can also create a new role and user if you wish to.


Now, when we stop Geronimo using 'service geronimo stop' we are no longer prompted for the password:

Stop Geronimo:

[root@srv6 init.d]# service geronimo stop
Using GERONIMO_HOME:   /usr/share/geronimo-tomcat6-javaee5-2.2.1
Using GERONIMO_TMPDIR: var/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_24/jre
Locating server on localhost:1099... Server found.
Server shutdown started
Server shutdown completed

Learn More About Apache Geronimo

Apache Geronimo
Geronimo Documentation Wiki

Saturday, March 12, 2011

Install JBoss 6 on CentOS

This post will cover installing JBoss 6.0 on CentOS 5.x.


If you are looking to install JBoss 7.1.1 CentOS 6, please see:

http://www.davidghedini.com/pg/entry/install_jboss_7_on_centos


We'll also set up JBoss to run as a service, as well as secure the JMX and Web Service consoles.

While there are similarities to JBoss 5.1 installation, the file locations have changed in some instances.

Here is an outline of the steps we will follow:

1. Download and Install the Java Development Kit (JDK)
2. Download and Install JBoss 6.0 Application Server
3. Create the user, jboss, who will own and run JBoss
4. Set the required JAVA_HOME and JBOSS_HOME paths
5. Create a start/stop/restart script for JBoss
6. Configure JBoss to run as a service
7. Access the JBoss Admin console
8. Change the JBoss Admin Password
9. Secure the JMX Console
10. Securing the Web Service Console
11. Set memory parameters for JBoss using JAVA_OPTS
12. Configure JBoss to run on port 80



Step 1: Download and Install the Java Development Kit (JDK)

You can download the JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

I'm using JDK 6, update 26, the latest as of this post. The JDK is specific to 32 and 64 bit versions.

My CentOS box is 64 bit, so I'll need: jdk-6u26-linux-x64.bin

If you are on 32 bit, you'll need: jdk-6u26-linux-i586.bin

Download the appropriate JDK and save it to a directory. I'm saving it to /root.

Move (mv) or copy (cp) the file to the /opt directory:

[root@sv2 ~]# mv jdk-6u26-linux-x64.bin /opt/jdk-6u26-linux-x64.bin

Create the directory /usr/java.

[root@sv2 ~]# mkdir /usr/java

Change to the /usr/java directory we created and install the JDK using 'sh /opt/jdk-6u26-linux-x64.bin'

[root@sv2 ~]# cd /usr/java
[root@sv2 java]# sh /opt/jdk-6u26-linux-x64.bin

We now have the JDK installed at /usr/java/jdk1.6.0_26. We'll use this for our JAVA_HOME a bit later in step



Step 2: Download and Install JBoss 6.0 Application Server

Download jboss-6.0.0.Final.zip at http://sourceforge.net/projects/jboss/files/JBoss/jboss-6.0.0.Final/ or use wget:

[root@sv2 ~]# wget http://sourceforge.net/projects/jboss/files/JBoss/JBoss-6.0.0.Final/jboss-as-distribution-6.0.0.Final.zip/download
.
.
.
100%[======================================>] 181,267,148  816K/s   in 3m 31s

2011-03-13 00:56:44 (839 KB/s) - `jboss-as-distribution-6.0.0.Final.zip' saved [181267148/181267148]


Move (mv) or copy (cp) the file to /usr/share/jboss-6.0.0.Final.zip.

[root@sv2 ~]# mv jboss-as-distribution-6.0.0.Final.zip /usr/share/jboss-as-distribution-6.0.0.Final.zip

Change to the /usr/share directory and unzip the file:

[root@sv2 ~]# cd /usr/share
[root@sv2 share]# unzip -q jboss-as-distribution-6.0.0.Final.zip

The unzip will create the following directory: /usr/share/jboss-6.0.0.Final

This directory will be our JBOSS_HOME, which we will use below in Step 4.


Step 3: Create the user, jboss, who will own and run JBoss


Since we will want to run JBoss as a non-root user with minimal privileges, we'll create a user, jboss, who will own the JBoss files and JBoss will run under his account.

To do this, we can need to the following.

Create a new group, jboss, and then create the user jboss and add the user to the jboss group.

[root@sv2 ~]# groupadd jboss
[root@sv2 ~]# useradd -s /bin/bash -g jboss jboss


Change ownership of the JBoss home directory, /usr/share/jboss-6.0.0.Final so all files are owned by the user jboss we created.

[root@sv2 ~]# chown -Rf jboss.jboss /usr/share/jboss-6.0.0.Final/

Step 4: Set the required JAVA_HOME and JBOSS_HOME paths

We no need to set the JAVA_HOME and JBOSS_HOME.

The JAVA_HOME is where we installed the JDK above, /usr/java/jdk1.6.0_26, and the JBOSS_HOME is where we installed JBoss above /usr/share/jboss-6.0.0.Final.

Add the following to the jboss users .bash_profile:

JAVA_HOME=/usr/java/jdk1.6.0_26
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
JBOSS_HOME=/usr/share/jboss-6.0.0.Final
export JBOSS_HOME


To set the JAVA_HOME for users, we add this to the user ~/.bashrc or ~/.bash_profile of the user. We can also add it /etc/profile and then source it to give to all users.

JAVA_HOME=/usr/java/jdk1.6.0_26 
export JAVA_HOME 
PATH=$JAVA_HOME/bin:$PATH 
export PATH

Once you have added the above to ~/.bash_profile or ~/.bashrc, you should su to the user jboss and verify that the JAVA_HOME and JBOSS_HOME are set correctly.

[root@sv2 ~]#  su jboss
[jboss@sv2 ~]#  echo $JAVA_HOME
/usr/java/jdk1.6.0_26
[jboss@sv2 ~]#  echo $JBOSS_HOME
/usr/share/jboss-6.0.0.Final






Step 5: Create a start/stop/restart script for JBoss.

For our JBoss script we will simply copy the existing jboss_init_redhat.sh script located at at /usr/share/jboss-6.0.0.Final/bin, copy it to /etc/init.d and rename it to 'jboss':

So, as root:
[root@sv2 ~]# cd /usr/share/jboss-6.0.0.Final/bin 
[root@sv2 bin]# cp jboss_init_redhat.sh /etc/init.d/jboss

In the jboss script (shown completed below), make the following changes:

1. Add lines 3,4, and 5:

# description: JBoss Start Stop Restart
# processname: jboss
# chkconfig: 234 20 80

2. Line 22, Set the JBOSS_HOME to where we unpacked JBoss in step 2 above:
JBOSS_HOME=${JBOSS_HOME:-"/usr/share/jboss-6.0.0.Final"}

3. Line 28. Set the JAVA_HOME to where we installed the JDK in step 1 above:
JAVAPTH=${JAVAPTH:-"/usr/java/jdk1.6.0_26"}

4. Add line 34, which sets the JBOSS_HOST to 0.0.0.0, allowing JBoss to bind to any IP.
JBOSS_HOST="0.0.0.0"

#!/bin/sh
#
# description: JBoss Start Stop Restart
# processname: jboss6
# chkconfig: 234 20 80
#
# $Id: jboss_init_redhat.sh 81068 2008-11-14 15:14:35Z dimitris@jboss.org $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself. 
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.

#define where jboss is - this is the directory containing directories log, bin, conf etc
JBOSS_HOME=${JBOSS_HOME:-"/usr/share/jboss-6.0.0.Final"}

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
JBOSS_USER=${JBOSS_USER:-"jboss"}

#make sure java is in your path
JAVAPTH=${JAVAPTH:-"/usr/java/jdk1.6.0_26"}

#configuration to use, usually one of 'minimal', 'default', 'all'
JBOSS_CONF=${JBOSS_CONF:-"default"}

#if JBOSS_HOST specified, use -b to bind jboss services to that address
JBOSS_HOST="0.0.0.0"
JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}

#define the classpath for the shutdown class
JBOSSCP=${JBOSSCP:-"$JBOSS_HOME/bin/shutdown.jar:$JBOSS_HOME/client/jnet.jar"}

#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}

if [ "$JBOSS_USER" = "RUNASIS" ]; then
  SUBIT=""
else
  SUBIT="su - $JBOSS_USER -c "
fi

if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
  # ensure the file exists
  touch $JBOSS_CONSOLE
  if [ ! -z "$SUBIT" ]; then
    chown $JBOSS_USER $JBOSS_CONSOLE
  fi 
fi

if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
  echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
  echo "WARNING: ignoring it and using /dev/null"
  JBOSS_CONSOLE="/dev/null"
fi

#define what will be done with the console log
JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}

JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"
JBOSS_CMD_STOP=${JBOSS_CMD_STOP:-"java -classpath $JBOSSCP org.jboss.Shutdown --shutdown"}

if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
  export PATH=$PATH:$JAVAPTH
fi

if [ ! -d "$JBOSS_HOME" ]; then
  echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
  exit 1
fi

echo JBOSS_CMD_START = $JBOSS_CMD_START

case "$1" in
start)
    cd $JBOSS_HOME/bin
    if [ -z "$SUBIT" ]; then
        eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
    else
        $SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &" 
    fi
    ;;
stop)
    if [ -z "$SUBIT" ]; then
        $JBOSS_CMD_STOP
    else
        $SUBIT "$JBOSS_CMD_STOP"
    fi 
    ;;
restart)
    $0 stop
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac



Step 6: Run JBoss as a Service.

To run JBoss as a service and enable start up at boot, make the script we created above executable and add it to our chkconfig so it starts at boot.

[root@sv2 init.d]# chmod 755 jboss
[root@sv2 init.d]# chkconfig --add jboss
[root@sv2 init.d]# chkconfig --level 234 jboss on


We should now be able to Start, Stop, and Restart JBoss as a service.

Start JBoss:

Note: JBoss can take some time to start.

[root@sv2 init.d]# service jboss start
JBOSS_CMD_START = cd /usr/share/jboss-6.0.0.Final/bin; /usr/share/jboss-6.0.0.Final/bin/run.sh -c default -b 0.0.0.0

Stop JBoss:
[root@sv2 init.d]# service jboss stop
JBOSS_CMD_START = cd /usr/share/jboss-6.0.0.Final/bin; /usr/share/jboss-6.0.0.Final/bin/run.sh -c default -b 0.0.0.0
Shutdown message has been posted to the server.
Server shutdown may take a while - check logfiles for completion



Step 7: Access the JBoss Admin.

Make sure JBoss is started and you should now be able to access the Jboss Console at:

http://yourdomain.com:8080 or http://yourip:8080

The default user name and password for the JBoss Admin Console is admin/admin


Access the Admin Console by clicking on the Administration Console link.










Step 8: Change the JBoss Admin Password

To change the default Admin Console password, go to:

/usr/share/jboss-6.0.0.Final/server/default/conf/props

Open the jmx-console-users.properties file in text editor and change the password.

# A sample users.properties file for use with the UsersRolesLoginModule
admin=MyPassword


Step 9: Secure the JMX Console

To secure the JMX Console, go to:

/usr/share/jboss-6.0.0.Final/common/deploy/jmx-console.war/WEB-INF

First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:

<!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>
   -->

Un-comment the security-constraint section so it appears thus:


<security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
   
<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
      <security-domain>java:/jaas/jmx-console</security-domain>
   -->
</jboss-web>

Uncomment the security-domain so it appears thus:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
   
<jboss-web>
   
      <security-domain>java:/jaas/jmx-console</security-domain>
   
</jboss-web>

At this point, the password for the JMX Console will be the same as the password we set for the Admin Console in step 8 above.

Both the Admin Console and JMX Console are are using the jmx-console-roles.properties and jmx-console-users.properties files.



Step 10: Secure the Web Service Console

To secure the Web Service Console, go to:

/usr/share/jboss-6.0.0.Final/common/deploy/jbossws-console.war/WEB-INF

First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:

<!-- A security constraint that restricts access
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>ContextServlet</web-resource-name>
       <description>An example security config that only allows users with the
         role 'friend' to access the JBossWS console web application
       </description>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>friend</role-name>
     </auth-constraint>
   </security-constraint>
   -->

Un-comment the security-constraint section so it appears thus:


<security-constraint>
     <web-resource-collection>
       <web-resource-name>ContextServlet</web-resource-name>
       <description>An example security config that only allows users with the
         role 'friend' to access the JBossWS console web application
       </description>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>friend</role-name>
     </auth-constraint>
   </security-constraint>

Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>

  <!-- A security domain that restricts access
  <security-domain>java:/jaas/JBossWS</security-domain>
  -->
  
  <context-root>jbossws</context-root>

</jboss-web>

Uncomment the security-domain so it appears thus:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>

 
  <security-domain>java:/jaas/JBossWS</security-domain>
 
  
  <context-root>jbossws</context-root>

</jboss-web>


The default user name and password are kermit/thefrog

To change this, go to:

/usr/share/jboss-6.0.0.Final/server/default/conf/props

Open jbossws-roles.properties in a text editor it should appear as below.

# A sample roles.properties file for use with the UsersRolesLoginModule
kermit=friend
Change 'kermit' to a new user name. For example, we'll change it to 'mywsuser' as shown below:

# A sample roles.properties file for use with the UsersRolesLoginModule
mywsuser=friend


Open jbossws-users.properties in a text editor it should appear as below.

# A sample users.properties file for use with the UsersRolesLoginModule
kermit=thefrog

Change 'kermit' to our new user name 'mywsuser' and change the password. For example, we'll change the password to it to 'MyWsPassword' as shown below:

# A sample users.properties file for use with the UsersRolesLoginModule
mywsuser=MyWsPassword


Step 11: Set JAVA_OPTS Memory Parameters


To set the memory limits for JBoss,

Got to: /usr/share/jboss-6.0.0.Final/bin

Open the run.sh file in a text editor.

Find the section below:
# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"

Directly below this, add the desired parameters.

# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"
JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx256m"

I'm installing this on a small VPS so I'm using JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx256m". You should set this to whatever is appropriate to your server and application.

Step 12: Running JBoss on Port 80.

To run services below port 1024 as user other than root, you can use port forwarding.

You can do this by adding the following to your IP tables:

[root@sv2 ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
[root@sv2 ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080

Be sure to save and then restart your IP Tables for the above to take effect.

Happy JBoss'ing.

Install JBoss 5.1 on CentOS

This post will cover installing JBoss 5.1 on CentOS 5.x.

NOTE: If you wish to install JBoss 7.1 on CentOS, please see my post here:

http://www.davidghedini.com/pg/entry/install_jboss_7_on_centos

We'll also set up JBoss to run as a service

I did my installation below on CentOS 5.5. This should work for RHEL and Fedora as well.

Firstly, let's outline the steps we will be taking:

1. Download and Install the Java Development Kit (JDK)
2. Download and Install JBoss 5.1 Application Server
3. Create the user, jboss, who will own and run JBoss
4. Set the required JAVA_HOME and JBOSS_HOME paths
5. Create a start/stop/restart script for JBoss
6. Configure JBoss to run as a service
7. Change the JBoss Admin Console password
8. Set memory parameters for JBoss using JAVA_OPTS
9. Configure JBoss to run on port 80
10. Notes: Securing the JMX Console, Web Console, JBossWS, and Tomcat Status.


Step 1: Download and Install the Java Development Kit (JDK)

You can download the JDK here: http://www.oracle.com/technetwork/java/javase/downloads/index.html

I'm using JDK 6, update 24, the latest as of this post. The JDK is specific to 32 and 64 bit versions.

My CentOS box is 64 bit, so I'll need: jdk-6u24-linux-x64.bin.

If you are on 32 bit, you'll need: jdk-6u24-linux-i586.bin

Download the appropriate JDK and save it to a directory. I'm saving it to /root.

Move (mv) or copy (cp) the file to the /opt directory:

[root@sv2 ~]# mv jdk-6u24-linux-x64.bin /opt/jdk-6u24-linux-x64.bin

Create the directory /usr/java.

[root@sv2 ~]# mkdir /usr/java

Change to the /usr/java directory we created and install the JDK using 'sh /opt/jdk-6u24-linux-x64.bin'

[root@sv2 ~]# cd /usr/java
[root@sv2 java]# sh /opt/jdk-6u24-linux-x64.bin

We now have the JDK installed at /usr/java/jdk1.6.0_24. We'll use this for our JAVA_HOME a bit later in step



Step 2: Download and Install JBoss 5.1 Application Server

Download jboss-5.1.0.GA.zip at http://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/ or use wget:

[root@aoukuk25 ~]# wget http://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/jboss-5.1.0.GA.zip/download
.
.
.
Saving to: `jboss-5.1.0.GA.zip'

100%[======================================>] 133,466,607 5.58M/s   in 17s

2011-01-02 02:03:02 (7.56 MB/s) - `jboss-5.1.0.GA.zip' saved [133466607/133466607]
[root@sv2 ~]#

Move (mv) or copy (cp) the file to /usr/share/jboss-5.1.0.GA.zip.

[root@sv2 ~]# mv jboss-5.1.0.GA.zip /usr/share/jboss-5.1.0.GA.zip

Change to the /usr/share directory and unzip the file:

[root@sv2 ~]# cd /usr/share
[root@sv2 share]# unzip -q jboss-5.1.0.GA.zip

The unzip will create the following directory: /usr/share/jboss-5.1.0.GA

This directory will be our JBOSS_HOME, which we will use below in Step 4 below


Step 3: Create the user, jboss, who will own and run JBoss


Since we will want to run JBoss as a non-root user with minimal privileges, we'll create a user, jboss, who will own the JBoss files and JBoss will run under his account.

To do this, we can need to the following.

Create a new group, jboss, and then create the user jboss and add the user to the jboss group.

[root@sv2 ~]# groupadd jboss
[root@sv2 ~]# useradd -s /bin/bash -g jboss jboss


Change ownership of the JBoss home directory, /usr/share/jboss-5.1.0.GA so all files are owned by the user jboss we created.

[root@sv2 ~]# chown -Rf jboss.jboss /usr/share/jboss-5.1.0.GA/

Step 4: Set the required JAVA_HOME and JBOSS_HOME paths

We no need to set the JAVA_HOME and JBOSS_HOME.

The JAVA_HOME is where we installed the JDK above, /usr/java/jdk1.6.0_24, and the JBOSS_HOME is where we installed JBoss above /usr/share/jboss-5.1.0.GA.

Add the following to the jboss users .bash_profile:

JAVA_HOME=/usr/java/jdk1.6.0_24
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
JBOSS_HOME=/usr/share/jboss-5.1.0.GA
export JBOSS_HOME


To set the JAVA_HOME for users, we add this to the user ~/.bashrc or ~/.bash_profile of the user. We can also add it /etc/profile and then source it to give to all users.

JAVA_HOME=/usr/java/jdk1.6.0_24 
export JAVA_HOME 
PATH=$JAVA_HOME/bin:$PATH 
export PATH

Once you have added the above to ~/.bash_profile or ~/.bashrc, you should su to the user jboss and verify that the JAVA_HOME and JBOSS_HOME are set correctly.

[root@sv2 ~]#  su jboss
[jboss@sv2 ~]#  echo $JAVA_HOME
/usr/java/jdk1.6.0_24
[jboss@sv2 ~]#  echo $JBOSS_HOME
/usr/share/jboss-5.1.0.GA






Step 5: Create a start/stop/restart script for JBoss.

For our JBoss script we will simply copy the existing jboss_init_redhat.sh script located at at /usr/share/jboss-5.1.0.GA/bin, copy it to /etc/init.d and rename it to 'jboss':

So, as root:
[root@sv2 ~]# cd /usr/share/jboss-5.1.0.GA/bin 
[root@sv2 bin]# cp jboss_init_redhat.sh /etc/init.d/jboss

In the jboss script (shown completed below), make the following changes:

1. Add lines 3,4, and 5:

# description: JBoss Start Stop Restart
# processname: jboss
# chkconfig: 234 20 80

2. Line 21, Set the JBOSS_HOME to where we unpacked JBoss in step 2 above:
JBOSS_HOME=${JBOSS_HOME:-"/usr/share/jboss-5.1.0.GA"}

3. Line 27. Set the JAVA_HOME to where we installed the JDK in step 1 above:
JAVAPTH=${JAVAPTH:-"/usr/java/jdk1.6.0_24"}

4. Add line 33, which sets the JBOSS_HOST to 0.0.0.0, allowing JBoss to bind to any IP.
JBOSS_HOST="0.0.0.0"

#!/bin/sh
#
# description: JBoss Start Stop Restart
# processname: jboss
# chkconfig: 234 20 80
# $Id: jboss_init_redhat.sh 81068 2008-11-14 15:14:35Z dimitris@jboss.org $
#
# JBoss Control Script
#
# To use this script run it as root - it will switch to the specified user
#
# Here is a little (and extremely primitive) startup/shutdown script
# for RedHat systems. It assumes that JBoss lives in /usr/local/jboss,
# it's run by user 'jboss' and JDK binaries are in /usr/local/jdk/bin.
# All this can be changed in the script itself. 
#
# Either modify this script for your requirements or just ensure that
# the following variables are set correctly before calling the script.

#define where jboss is - this is the directory containing directories log, bin, conf etc
JBOSS_HOME=${JBOSS_HOME:-"/usr/share/jboss-5.1.0.GA"}

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
JBOSS_USER=${JBOSS_USER:-"jboss"}

#make sure java is in your path
JAVAPTH=${JAVAPTH:-"/usr/java/jdk1.6.0_24"}

#configuration to use, usually one of 'minimal', 'default', 'all'
JBOSS_CONF=${JBOSS_CONF:-"default"}

#if JBOSS_HOST specified, use -b to bind jboss services to that address
JBOSS_HOST="0.0.0.0"
JBOSS_BIND_ADDR=${JBOSS_HOST:+"-b $JBOSS_HOST"}


#define the classpath for the shutdown class
JBOSSCP=${JBOSSCP:-"$JBOSS_HOME/bin/shutdown.jar:$JBOSS_HOME/client/jnet.jar"}

#define the script to use to start jboss
JBOSSSH=${JBOSSSH:-"$JBOSS_HOME/bin/run.sh -c $JBOSS_CONF $JBOSS_BIND_ADDR"}

if [ "$JBOSS_USER" = "RUNASIS" ]; then
  SUBIT=""
else
  SUBIT="su - $JBOSS_USER -c "
fi

if [ -n "$JBOSS_CONSOLE" -a ! -d "$JBOSS_CONSOLE" ]; then
  # ensure the file exists
  touch $JBOSS_CONSOLE
  if [ ! -z "$SUBIT" ]; then
    chown $JBOSS_USER $JBOSS_CONSOLE
  fi 
fi

if [ -n "$JBOSS_CONSOLE" -a ! -f "$JBOSS_CONSOLE" ]; then
  echo "WARNING: location for saving console log invalid: $JBOSS_CONSOLE"
  echo "WARNING: ignoring it and using /dev/null"
  JBOSS_CONSOLE="/dev/null"
fi

#define what will be done with the console log
JBOSS_CONSOLE=${JBOSS_CONSOLE:-"/dev/null"}

JBOSS_CMD_START="cd $JBOSS_HOME/bin; $JBOSSSH"
JBOSS_CMD_STOP=${JBOSS_CMD_STOP:-"java -classpath $JBOSSCP org.jboss.Shutdown --shutdown"}

if [ -z "`echo $PATH | grep $JAVAPTH`" ]; then
  export PATH=$PATH:$JAVAPTH
fi

if [ ! -d "$JBOSS_HOME" ]; then
  echo JBOSS_HOME does not exist as a valid directory : $JBOSS_HOME
  exit 1
fi

echo JBOSS_CMD_START = $JBOSS_CMD_START

case "$1" in
start)
    cd $JBOSS_HOME/bin
    if [ -z "$SUBIT" ]; then
        eval $JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &
    else
        $SUBIT "$JBOSS_CMD_START >${JBOSS_CONSOLE} 2>&1 &" 
    fi
    ;;
stop)
    if [ -z "$SUBIT" ]; then
        $JBOSS_CMD_STOP
    else
        $SUBIT "$JBOSS_CMD_STOP"
    fi 
    ;;
restart)
    $0 stop
    $0 start
    ;;
*)
    echo "usage: $0 (start|stop|restart|help)"
esac



Step 6: Run JBoss as a Service.

To run JBoss as a service and enable start up at boot, make the script we created above executable and add it to our chkconfig so it starts at boot.

[root@sv2 init.d]# chmod 755 jboss
[root@sv2 init.d]# chkconfig --add jboss
[root@sv2 init.d]# chkconfig --level 234 jboss on


We should now be able to Start, Stop, and Restart JBoss as a service.

Start JBoss:

Note: JBoss can take some time to start.

[root@sv2 init.d]# service jboss start
JBOSS_CMD_START = cd /usr/share/jboss-5.1.0.GA/bin; /usr/share/jboss-5.1.0.GA/bin/run.sh -c default -b 0.0.0.0

Stop JBoss:
[root@sv2 init.d]# service jboss stop
JBOSS_CMD_START = cd /usr/share/jboss-5.1.0.GA/bin; /usr/share/jboss-5.1.0.GA/bin/run.sh -c default -b 0.0.0.0
Shutdown message has been posted to the server.
Server shutdown may take a while - check logfiles for completion




Make sure JBoss is started and you should now be able to access the Jboss Console at:

http://yourdomain.com:8080 or http://yourip:8080



If you have any difficulties, check the logs and also insure that port 8080 is open


Step 7: Change the Admin Console Pasword.


The default user name and password for the JBoss Admin Console is admin/admin

To change the password, go to:

/usr/share/jboss-5.1.0.GA/server/default/conf/props

Edit the jmx-console-users.properties file, shown below
# A sample users.properties file for use with the UsersRolesLoginModule
admin=admin

The user name is at left and the password at right. Change the password to something hard to guess ;-)




Step 8: Set JAVA_OPTS Memory Parameters


To set the memory limits for JBoss,

Got to: /usr/share/jboss-5.1.0.GA/bin

Open the run.sh file in a text editor.

Find the section below:
# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"

Directly below this, add the desired parameters.

# Setup JBoss specific properties
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"
JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx256m"

I'm installing this on a small VPS so I'm using JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx256m". You should set this to whatever is appropriate to your server and application.

Step 9: Running JBoss on Port 80.

To run services below port 1024 as user other than root, you can use port forwarding.

You can do this by adding the following to your IP tables:

[root@sv2 ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
[root@sv2 ~]# iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8080



Step 10: Notes: Secure the JBoss Web Console, JMX Console, JBossWS, and Tomcat Status Page.

This section will cover some simple and most basic methods of securing the consoles.

If you are simply running JBoss locally to have a look at it, you can skip this bit.

I've seen more elegent presentations of securing JBoss, so you may want to Google this if you find below a bit clunky.

As with anything related to your application and server security, please consult the docs.



Step 10a: Secure the JMX Console.


To secure the JMX Console, go to:
/usr/share/jboss-5.1.0.GA/server/default/deploy/jmx-console.war/WEB-INF

First, edit the web.xml file. Towards the bottom, you will find the security-constraint as shown below:

<!-- A security constraint that restricts access to the HTML JMX console
   to users with the role JBossAdmin. Edit the roles to what you want and
   uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
   secured access to the HTML JMX console.
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>
   -->





Un-comment the security-constraint section so it appears thus:


<security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>JBossAdmin</role-name>
     </auth-constraint>
   </security-constraint>

Next, still in the WEB-INF directory, edit the jboss-web.xml file, which will look as below:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
   
<jboss-web>
   <!-- Uncomment the security-domain to enable security. You will
      need to edit the htmladaptor login configuration to setup the
      login modules used to authentication users.
      <security-domain>java:/jaas/jmx-console</security-domain>
   -->
</jboss-web>

Uncomment the security-domain so it appears thus:

<jboss-web>
   
      <security-domain>java:/jaas/jmx-console</security-domain>
   
</jboss-web>

At this point, the password for the JMX Console will be the same as the password we set for the Admin Console at in in step 7a above. Both are using the java:/jaas/jmx-console security domain.

You can, of course change this if you wish to create a stronger solution.



Step 10b: Secure the Web Console.

To secure the Web Console, go to:

/usr/share/jboss-5.1.0.GA/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF

As with the JMX Console, in the WEB-INF.xml un-comment the security constraint so it appears thus:


<security-constraint>
   <web-resource-collection>
   <web-resource-name>HtmlAdaptor</web-resource-name>
   <description>An example security config that only allows users with the
   role JBossAdmin to access the HTML JMX console web application
   </description>
   <url-pattern>/*</url-pattern>
   <http-method>GET</http-method>
   <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
   <role-name>JBossAdmin</role-name>
   </auth-constraint>
   </security-constraint>

Still in the WEB-INF directory, go to the jboss-web.xml file.

By default, The jboss-web.xml file will appear as below:


<?xml version='1.0' encoding='UTF-8' ?>
 
<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>

   <!-- Uncomment the security-domain to enable security. You will
   need to edit the htmladaptor login configuration to setup the
   login modules used to authentication users.
   <security-domain>java:/jaas/web-console</security-domain>
   -->

   <!-- The war depends on the -->
   <depends>jboss.admin:service=PluginManager</depends>
</jboss-web> 

Un-comment the security-domain so it appears thus:

<jboss-web>
   
   <security-domain>java:/jaas/web-console</security-domain>
  

   
   <depends>jboss.admin:service=PluginManager</depends>
</jboss-web>


Now, we need to make a change to the go to login-config.xml file located under /usr/share/jboss-5.1.0.GA/server/default/conf/

Open the login-config.xml and look for the section below:


<application-policy name="web-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
        <module-option name="usersProperties">web-console-users.properties</module-option>
        <module-option name="rolesProperties">web-console-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

Add 'props/' to the path of the web-console-users.properties and web-console-roles.properties

So the section will now appear thus:


<application-policy name="web-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
        <module-option name="usersProperties">props/web-console-users.properties</module-option>
        <module-option name="rolesProperties">props/web-console-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

Finally, go to /root/jboss-5.1.0.GA/server/default/conf/props and create the following files:

1. web-console-roles.properties

The web-console-roles.properties file should contain the following:
admin=JBossAdmin,HttpInvoker


2. web-console-users.properties

The web-console-users.properties file should contain the following:
admin=WebSecret

Where 'WebSecret' is whatever you would like the password to be. If you wish to be able to access the Web Console with the same password as for the Admin and JMX console, simply use the same password here.



Step 10c: Secure the JBossWS. 


The procedure for securing the JBossWS is virtually identical to securing the JMX-Console, save the difference in file loactions.

To secure the JBossWS, go to:
/usr/share/jboss-5.1.0.GA/server/default/deploy/jbossws.sar/jbossws-management.war/WEB-INF

First, edit the web.xml file. Locate the security-constraint (about half-way down the file), and un-comment it so it appears thus:

<security-constraint>
     <web-resource-collection>
       <web-resource-name>ContextServlet</web-resource-name>
       <description>An example security config that only allows users with the
         role 'friend' to access the JBossWS console web application
       </description>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>friend</role-name>
     </auth-constraint>
   </security-constraint>






Next, still in the WEB-INF directory, edit the jboss-web.xml file.

Un-comment the security-domain so it appears thus:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE jboss-web
    PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">

<jboss-web>

  
  <security-domain>java:/jaas/JBossWS</security-domain>
 
  
  <context-root>jbossws</context-root>

</jboss-web>


In the /props directory you will find the jbossws-roles.properties and jbossws-users.properties files.

The default role is 'friend' with user name 'Kermit' and password 'the frog'

jbossws-roles.properties:
# A sample roles.properties file for use with the UsersRolesLoginModule
kermit=friend

jbossws-users.properties:
# A sample users.properties file for use with the UsersRolesLoginModule
kermit=thefrog

Change the user name and password.




Step 10d: Secure the Tomcat Status Page.  

Many would recommend simply disabling the Tomcat Status.

If you wish to secure it, however, go to:

/usr/share/jboss-5.1.0.GA/server/default/deploy/ROOT.war/WEB-INF

Just before the closing web-app tag add the following to the end of the web.xml file:

<security-constraint>  
    <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/status</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>TomcatStatus</role-name>
     </auth-constraint>
   </security-constraint>


   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>TomcatStatus</realm-name>
   </login-config>

   <security-role>
      <role-name>TomcatStatus</role-name>
   </security-role>



Your web.xml file should now look thus:


<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
  <display-name>Welcome to JBoss</display-name>
  <description>
     Welcome to JBoss
  </description>
  <servlet>
    <servlet-name>Status Servlet</servlet-name>
    <servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>Status Servlet</servlet-name>
    <url-pattern>/status</url-pattern>
  </servlet-mapping>



<security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <description>An example security config that only allows users with the
         role JBossAdmin to access the HTML JMX console web application
       </description>
       <url-pattern>/status</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>TomcatStatus</role-name>
     </auth-constraint>
   </security-constraint>


   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>TomcatStatus</realm-name>
   </login-config>

   <security-role>
      <role-name>TomcatStatus</role-name>
   </security-role>



</web-app>

Still in the /usr/share/jboss-5.1.0.GA/server/default/deploy/ROOT.war/ directory, create a jboss-web.xml file with the following contents:

<jboss-web>  
      
       <security-domain>java:/jaas/tomcat-status</security-domain>  
      
</jboss-web>


Go to /usr/share/jboss-5.1.0.GA/server/default/conf

Look for the following section:

<application-policy name="web-console">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/web-console-users.properties</module-option>
        <module-option name="rolesProperties">props/web-console-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

Directly under this section, add the following entry:

<application-policy name="tomcat-status">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/tomcat-status-users.properties</module-option>
        <module-option name="rolesProperties">props/tomcat-status-roles.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>


Now, in the /usr/share/jboss-5.1.0.GA/server/default/conf/props directory, create the following two files:


1. tomcat-status-roles.properties

The tomcat-status-roles.properties file should contain the following:
admin=TomcatStatus


2. tomcat-status-users.properties

The tomcat-status-users.properties file should contain the following:
admin=TomcatSecret

Where 'TomcatSecret' is whatever you would like the password to be. If you wish to be able to access the Web Console with the same password as for the Admin and JMX console, simply use the same password here.

Again, you may find it simpler to just disable the Tomcat Status.




http://community.jboss.org/

Tuesday, March 8, 2011

Installing GlassFish 3.1 on CentOS or RHEL

GlassFish 3.1 has been released.

I've created a post for installing GlassFish 3.1 on CentOS/RHEL which you can find on my new Roller Blog here:

http://www.davidghedini.com/pg/entry/install_glassfish_3_1_on

It is basically the same procedure as GlassFish 3.0.1, with some minor changes.

You can find my GlassFish 3.0.1 post  in this blog
as well as at my new Roller blog:  http://www.davidghedini.com/pg/entry/how_to_install_glassfish_3 



HTH.


Thursday, February 10, 2011

Install Apache Roller 4 on CentOS and Tomcat

This post will cover installing Apache Roller 4.0.1 on CentOS with Tomcat and MySQL.

4.0.1 is the current GA production release of Apache Roller.

For this post, you will need a working installation of Tomcat. If you do not have Tomcat installed, you can install it using our Tomcat step-by-step guide here.

What you will need to download:

apache-roller-4.0.1.zip
JavaMail 1.4.4
mysql-connector-java-5.1.15-bin.jar


I'll be saving the above file to my /opt directory.


1. Create the Required MySQL Database and User:

We'll call our database 'roller'

[root@srv6 opt]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2694
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database roller;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on roller.* to myuser@localhost identified by 'secret';
Query OK, 0 rows affected (0.00 sec)

mysql>


2. Copy The Required JAR Files to the Tomcat/lib Directory

From our downloads, we'll need to copy the mail.jar and mysql-connector-java-5.1.15-bin.jar to our Tomcat/lib Directory

Unzip javamail1_4_4.zip

[root@srv6 opt]# unzip -q javamail1_4_4.zip
Change to the javamail-1.4.4 directory and copy mail.jar to the Tomcat lib directory:
[root@srv6 opt]# cd javamail-1.4.4
[root@srv6 javamail-1.4.4]# cp mail.jar /usr/share/apache-tomcat-6.0.30/lib/mail.jar

Change back to the /opt directory and unpack mysql-connector-java-5.1.15.tar.gz

[root@srv6 javamail-1.4.4]# cd /opt
[root@srv6 opt]# tar -xvf mysql-connector-java-5.1.15.tar.gz

Change to the mysql-connector-java-5.1.15 directory and copy mysql-connector-java-5.1.15-bin.jar to the Tomcat lib directory:

[root@srv6 opt]# cd mysql-connector-java-5.1.15
[root@srv6 mysql-connector-java-5.1.15]# cp mysql-connector-java-5.1.15-bin.jar /usr/share/apache-tomcat-6.0.30/lib/mysql-connector-java-5.1.15-bin.jar




3. Create a roller-custom.properties File

We'll now create our roller-custom.properties file in the Tomcat/lib directory

[root@srv6 mysql-connector-java-5.1.15]#  cd /usr/share/apache-tomcat-6.0.30/lib
[root@srv6 lib]# vi roller-custom.properties

The file should contain the following. Replace database, user and password with your own. If required enter the mail user credentials as well.

installation.type=auto
database.configurationType=jdbc
database.jdbc.driverClass=com.mysql.jdbc.Driver
database.jdbc.connectionURL=jdbc:mysql://localhost:3306/roller
database.jdbc.username=myuser
database.jdbc.password=secret
mail.configurationType=properties
mail.hostName=localhost
#mail.username=
#mail.password=

4. Create roller.war

We now need to build the roller.war file from our Roller download.

Unzip apache-roller-4.0.1.zip
[root@srv6 opt]# unzip -q apache-roller-4.0.1.zip
Change to the apache-roller-4.0.1/webapp/roller directory
[root@srv6 opt]# cd apache-roller-4.0.1/webapp/roller
Create the WAR file
[root@srv6 roller]# % jar cvf ../roller.war *

5. Copy the roller.war to your Tomcat/webapps Directory

The roller.war file is created apache-roller-4.0.1/webapp directory. Copy the WAR to your Tomcat/webapps directory

[root@srv6 webapp]# cp roller.war /usr/share/apache-tomcat-6.0.30/webapps/roller.war



6. Start Tomcat

Start up Tomcat to load your new files and jars.

[root@srv6 webapp]# service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-6.0.30
Using CATALINA_HOME:   /usr/share/apache-tomcat-6.0.30
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-6.0.30/temp
Using JRE_HOME:        /usr/java/jdk1.6.0_23
Using CLASSPATH:       /usr/share/apache-tomcat-6.0.30/bin/bootstrap.jar


7. Create Roller Tables in MySQL via Roller GUI

If your installation was successful, you should now be able to go to http://YourIP:8080/roller or http://YourDomain:8080/roller

If you are not able to access Roller, check your catalina.out or roller.log files in your Tomcat/logs directory.

You should see a prompt to create the roller tables in MySQL.

Click the "Yes - Create Tables Now" button




On successful completion of creating the Roller tables in MySQL you will see the following:



Follow the prompt and click to complete the installation.



8. Create Global Admin User

The Roller Front Page should now be displayed as below.


Click the 'New User Registration Link' to create your Global Admin user. As noted, the first user registered will have Global Admin rights.



http://roller.apache.org/