JBoss Application Server

Optional Configuration Steps for Your JBoss Application Server

When you apply the third maintenance release for SAS 9.2, SAS automatically configures your JBoss Application Server. However, depending on your site, you might need to complete these additional steps:
  1. (Optional) Set File Security in UNIX Environments.
  2. (Optional) Configure JMS Security.
  3. (Optional) Restore Restrictive Policy Settings.
  4. (Optional) Restore Customizations to Web Authentication.
Note: Several of these configuration steps require you to add XML code to existing files. When adding XML code, remember the following:

Set File Security in UNIX Environments

To increase security in UNIX environments that were created before installing the third maintenance release for SAS 9.2, type the following commands at a UNIX prompt: 
cd SAS-configuration-directory/Lev1/Web
chmod go= Common/login.config

Configure JMS Security

If JMS security is enabled, you must complete these additional steps.
Note: In a standard deployment, JMS security is not enabled.
  1. In the JBoss-installation-directory\server\SASServer1\conf\login-config.xml file:
    1. Comment out the default application policy for “jbossmq” and add a new application policy that uses the UserRolesLoginModule and the new users.properties files and roles.properties files. When finished, your code should look similar to the following: 
      <!—
<application-policy name=”jbossmq”>
  <authentication>
      <login-module code=”org.jboss.security.auth.spi.DatabaseServerLoginModule”
         flag=”required”>
            <module-option name=”dsJndiName”>java:/DefaultDS</module-option>
            <module-option name=”principalsQuery”>SELECT PASSWD FROM 
               JMS_USERS WHERE USERID=?</module-option>
            <module-option name=”rolesQuery”>SELECT ROLEID, 'Roles'
               FROM JMS_ROLES WHERE USERID=?</module-option>
      </login-module>
   </authentication>
</application-policy>
—>

<application-policy name=”jbossmq”>
  <authentication>
      <login-module code=”org.jboss.security.auth.spi.UsersRolesLoginModule”
         flag=”required”>
            <module-option name=”usersProperties”>
               props/sas-jms-users.properties</module-option>
            <module-option name=”rolesProperties”>
               props/sas-jms-roles.properties</module-option>
      </login-module>
   </authentication>
</application-policy>

      <!—
<application-policy name=”jbossmq”>
  <authentication>
      <login-module 
          code=”org.jboss.security.auth.spi.DatabaseServerLoginModule”
          flag=”required”>
            <module-option name=”dsJndiName”>
                java:/DefaultDS</module-option>
            <module-option name=”principalsQuery”>SELECT PASSWD
               FROM JMS_USERS WHERE USERID=?</module-option>
            <module-option name=”rolesQuery”>SELECT ROLEID, 
              'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
      </login-module>
   </authentication>
</application-policy>
—>

<application-policy name=”jbossmq”>
  <authentication>
      <login-module code=”org.jboss.security.auth.spi.UsersRolesLoginModule”
         flag=”required”>
            <module-option name=”usersProperties”>
               props/sas-jms-users.properties</module-option>
            <module-option name=”rolesProperties”>
               props/sas-jms-roles.properties</module-option>
      </login-module>
   </authentication>
</application-policy>
    2. In the JmsXARealm security realm, replace guest references with the sasjms user and its credentials. Your code should look similar to the following: 
      <application-policy name=”JmsXARealm”>
  <authentication>
      <login-module code=”org.jboss.resource.security.
         ConfiguredIdentifyLoginModule” flag=”required”>
            <module-option name=”principal”>sasjms</module-option>
            <module-option name=”userName”>sasjms</module-option>
            <module-option name=”password”>EaSyPasWd71</module-option>
            <module-option name=”managedConnectionFactoryName”>
               jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>
   </authentication>
</application-policy>
      <application-policy name=”JmsXARealm”>
  <authentication>
      <login-module 
          code=”org.jboss.resource.security.ConfiguredIdentifyLoginModule”
          flag=”required”>
            <module-option name=”principal”>sasjms</module-option>
            <module-option name=”userName”>sasjms</module-option>
            <module-option name=”password”>EaSyPasWd71</module-option>
            <module-option name=”managedConnectionFactoryName”>
                jboss.jca:service=TxCM,name=JmsXA</module-option>
      </login-module>
   </authentication>
</application-policy>
  2. In the JBoss-installation-directory\server\SASServer1\conf\jboss-service.xml file, replace the guest role with the role that was defined in the roles.properties file for ConnectionFactories, AlertQueue, and WorkflowQueue. The following code assumes that the JMSUser role is defined in the sas–jms–roles.properties file. 
    <mbean code=”org.jboss.naming.LinkRefPairService” 
                name=”jboss.jms:alias=SASTopicConnectionFactory”>
      <attribute name=”JndiName”>sas/jms/TopicConnectionFactory</attribute>
      <attribute name=”RemoteJndiName”>ConnectionFactory</attribute>
      <attribute name=”LocalJndiName”>java:/JmsXA</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
      <depends>jboss:service=Naming</depends>  
</mbean>

<mbean code=”org.jboss.naming.LinkRefPairService” 
   name=”jboss.jms:alias=SASQueueConnectionFactory”>
     <attribute name=”JndiName”>sas/jms/QueueConnectionFactory</attribute>
      <attribute name=”RemoteJndiName”>ConnectionFactory</attribute>
      <attribute name=”LocalJndiName”>java:/JmsXA</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
      <depends>jboss:service=Naming</depends>  
</mbean>

<mbean code=”org.jboss.mq.server.jmx.Queue” 
   name=”jboss.mq.destination:service=Queue,name=AlertQueue”>
       <depends optional-attribute-name=”DestinationManager”>
           jboss.mq:service=DestinationManager</depends> 
      <attribute name=”JndiName”>sas/jms/AlertQueue</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
</mbean>

<mbean code=”org.jboss.mq.server.jmx.Queue” 
   name=”jboss.mq.destination:service=Queue,name=WorkflowQueue”>
       <depends optional-attribute-name=”DestinationManager”>
           jboss.mq:service=DestinationManager</depends> 
      <attribute name=”JndiName”>sas/jms/WorkflowQueue</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
</mbean>
    <mbean code=”org.jboss.naming.LinkRefPairService” 
   name=”jboss.jms:alias=SASTopicConnectionFactory”>
      <attribute name=”JndiName”>sas/jms/TopicConnectionFactory</attribute>
      <attribute name=”RemoteJndiName”>ConnectionFactory</attribute>
      <attribute name=”LocalJndiName”>java:/JmsXA</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
      <depends>jboss:service=Naming</depends>  
</mbean>

<mbean code=”org.jboss.naming.LinkRefPairService” 
name=”jboss.jms:alias=SASQueueConnectionFactory”>
      <attribute name=”JndiName”>sas/jms/QueueConnectionFactory</attribute>
      <attribute name=”RemoteJndiName”>ConnectionFactory</attribute>
      <attribute name=”LocalJndiName”>java:/JmsXA</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
      <depends>jboss:service=Naming</depends>  
</mbean>

<mbean code=”org.jboss.mq.server.jmx.Queue” 
   name=”jboss.mq.destination:service=Queue,name=AlertQueue”>
       <depends optional-attribute-name=”DestinationManager”>
           jboss.mq:service=DestinationManager</depends> 
      <attribute name=”JndiName”>sas/jms/AlertQueue</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
</mbean>

<mbean code=”org.jboss.mq.server.jmx.Queue” 
   name=”jboss.mq.destination:service=Queue,name=WorkflowQueue”>
       <depends optional-attribute-name=”DestinationManager”>
           jboss.mq:service=DestinationManager</depends> 
      <attribute name=”JndiName”>sas/jms/WorkflowQueue</attribute>
      <security>
         <role name=”JMSUser” read=”true” write=”true” />
      </security>
</mbean>
  3. In the JBoss-installation-directory\server\SASServer1\deploy\jms\jbossmq-service.xml file, replace the guest role with the role that was defined in the roles.properties file for ConnectionFactories, AlertQueue, and WorkflowQueue. The following code assumes that the JMSUser role is defined in the sas–jms–roles.properties file. 
    <mbean code=”org.jboss.mq.security.SecurityManager”
   name=”jboss.mq:service=SecurityManager”>
      <attribute name=”DefaultSecurityConfig”>
         <security>
            <role name=”JMSUser” read=”true” write=”true” create=”true” />
        </security>
      </attribute>
      <attribute name=”SecurityDomain”>java:/jaas/jbossmq</attribute>
    <depends optional-attribute-name=”NextInterceptor”>
       jboss.mq:service=DestinationManager</depends>
</mbean>

    <mbean code=”org.jboss.mq.security.SecurityManager” 
   name=”jboss.mq:service=SecurityManager”>
      <attribute name=”DefaultSecurityConfig”>
         <security>
            <role name=”JMSUser” read=”true” write=”true” create=”true” />
        </security>
      </attribute>
      <attribute name=”SecurityDomain”>java:/jaas/jbossmq</attribute>
    <depends optional-attribute-name=”NextInterceptor”>
         jboss.mq:service=DestinationManager</depends>
</mbean>
  4. Restart your JBoss Application Server. For more information, see “Starting or Stopping a JBoss Application Server” in the SAS Intelligence Platform: System Administration Guide.

Restore Restrictive Policy Settings

If you configured your environment to use restrictive policy settings, then you had to disable these policy settings before you applied the third maintenance release for SAS 9.2. How you restore these settings depends on whether SAS automatically reconfigured JBoss and whether you specified to use restricted permissions in your initial deployment. Use the following table to determine the post-configuration steps for your site.
When Post-Configuration Steps Are Required
Type of Configuration
Post-Configuration Steps
SAS automatically reconfigures the JBoss server and re-creates the restrictive policy file.
If you selected to use restrictive permissions the first time you configured your SAS 9.2 deployment, then SAS specified the following options in the start-up script:
–Djava.security.manager
–Djava.security.policy=
full-path-to-restrictive-policy-file
Therefore, you do not need to specify these options again. When SAS automatically restarts the JBoss server, then the restricted permissions file should be created and copied to the server.
You manually configured the JBoss server, or you manually created the restrictive policies file.
If you manually configured JBoss, or if you created the restrictive policy file the first time you configured your SAS 9.2 deployment, then the restrictive policy file is stored in SAS-configuration-directory/Lev1/Web/Common/jboss. After you apply the third maintenance release, you must specify the following options in the start-up script: 
–Djava.security.manager
–Djava.security.policy=
full-path-to-restrictive-policy-file

Restore Customizations to Web Authentication

After installing a maintenance release, here are the high-level tasks that you must complete to restore any customizations for Web authentication.
  1. Modify Logon Manager.
  2. Set the CLASSPATH for Remote Services JVM.
  3. Log on to verify the Web authentication configuration.
For more information about each task, see the corresponding topics in Configuring JBoss Application Server 4.2.0 for Web Authentication with SAS 9.2 Web Applications. This document is available from http://support.sas.com/resources/thirdpartysupport/v92m3/appservers/ConfiguringJBossWebAuth.pdf.
Copyright © SAS Institute Inc. All rights reserved.