is anyone aware of any embeddable Kerberos servers (KDC / KAdmin), which are written in Java and may run just within the JVM process (something like Hadoop minicluster or embedded LDAP servers)?
My goal it to let people run integ tests requiring Kerberos authentication without having to install local kerberos server/configure remote server and connection to it.
You can give Apache Directory Server (http://directory.apache.org/) a try. It supports LDAP and Kerberos. See this example:
http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
I was/am looking for such a thing too but this is simply not really possible because you will need a fully functional DNS server for this. A fully decoupled system is necessary. You can achieve this via the virtualization-maven-plugin and a group of virtual machines in VirtualBox with an internal network.
LDAP servers won't help you at all because they do absolutely nothing with GSS-API and Kerberos. SASL does everything by delegating auth to the next available KDC.
You need KDC and DNS server. You may try Samba 4 on one machine, setup a second one which joins
the domain. Install Hadoop on it, add a third one (client), join and run tests from there.
It seems like you can have Apache DS mimic a KDC: http://directory.apache.org/apacheds/configuration/ads-2.0-configuration.html
I have a written an Embedded LDAP for similar purpose and also to you can use it for testing with Kerberos, spcially useful for cases like testing Hadoop Kerberos testing.
https://github.com/krishdey/EmbeddedLdapKDC
You may also look at the class for writing embedded JUnit testing https://github.com/krishdey/EmbeddedLdapKDC/blob/master/EmbeddedLdapKDC/src/test/java/com/krish/ead/server/KerberosLdapIntegrationTest.java
Might be useful for you.
Hadoop publishes a MiniKdc class which can be used. From the MiniKdc class doc comment:
Mini KDC based on Apache Directory Server that can be embedded in testcases or used from command line as a standalone KDC.
https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-minikdc
Related
I just spent the day building and rebuilding docker images of my app with different variations of JVM command line options -Dcom.sun.management.jmxremote....
So I can get JMX authentication to work which was one step forward, but then anybody in my organisation could login and execute JMX commands.
But it seems to me that I have to rely on putting usernames and passwords in text files in my docker containers (or accessible to them) if I want to restrict authorization to a small group of users.
Isn't there another out-of-the-box way to monitor memory and threads and manipulate loggers or connection pools etc in production?
The official docs Monitoring and Management Using JMX Technology are not encouraging.
I thought microservices architecture might have a new approach but I can't find it on the web or on stackoverflow.
I investigated coding up a routine to launch the JMX server internally with custom authorization to use the Krb5LoginModule to access AD groups following JMX Authentication - Role Based MBean Operations and Support for Kerberos Authentication/Authorization on JMX Client/Server running on Java 6
I even dredged up a long-since vanished Oracle blog post on the subject at the waybackmachine: Authentication and Authorization in JMX RMI connectors
Now at the end of the day it's obvious that I have to keep it simpler than this and go with the out-of-the-box solution, but that is so primitive and looks like it hasn't been improved since Java 1.6.
Is JMX just a basic mechanism to allow EJB containers to do JMX, which of course being gargantuan EJB containers, they have their own JMX connectors that pre-authorize everything.
Isn't there something that will allow me to implement AD groups for authorization in a multi-user environment without writing my own JMX security module?
Jolokia is uncharted territory for me, and after having read the documentation, I'm still not sure if it'll work with the scenario I have in mind.
Setup:
Tomcat application server (version ranges from 6.x to 7.x), usually on a Windows platform, occasionally a flavour of Linux.
Deployed third-party Java web application (SAP BusinessObjects) with JMX monitoring enabled (accessible through RMI).
Possible gotcha's:
The Java web application to be monitored is commercial and closed source, so modifications are not possible. The only thing that can be changed is the JMX port number
The JMX endpoint is a custom one, thus not the default jmxrmi endpoint.
The JMX connection requires authentication.
Goal:
What I'd like to do is to deploy the Jolokia WAR file onto the Tomcat server and then configure it so that I can read the MBean attributes from the other web application.
I would code the client myself using Python (version 3) and the Requests HTTP library.
I've been reading through the Jolokia documentation (again, I'm a complete newbie at this point), but can't figure out if this would be possible or not (as I can't seem to find where to enter the JMX/RMI url or the authentication information).
Questions:
Can I use the WAR agent for this setup?
If not, can you please explain why (so I can understand, not because I don't believe you). Also, is there another agent that's more suited for this scenario?
If yes, can you point me in the right direction how to configure the Jolokia to the web application to connect to?
First of all, Jolokia by passes the JSR-160 connector stuff completely, so there is no need for any JMX/RMI authentication. The whole purpose of Jolokia is to provide a bridge over HTTP/JSON to the internal JMX subsystem. Depending on the agent, you can secure Jolokia quite easily. For the WAR agent, securing is the same as for any Java EE web app: Setup some roles and users for tomcat (e.g. in tomcat-users.xml) and reference the role in the security contstraints within the jolokia.war's /WEB-INF/web.xml.
To your questions:
Yes, you can. If you don't have any specific authentication needs, simply drop the jolokia.war into tomcat's /webapps directory. I suggest to try this first before adding security. For deinstalling the agent, simply remove the war.
As an alternative, you could also use the JVM agent, which opens an own HTTP server on an extra port (default: 8778). More on this in the reference manual
There is no need for a dedicated connection to the web app since MBeans are registered globally and are accesible from anywhere in the JVM. A webapp should of course select carefully the management information it exposes. So, there is no extra step needed and you can access the MBeans for the WEB app directly (except when it does something unusual with Java security, but I don't think so).
To test the installation, simply connect to the Tomcat with your browser and the context /jolokia (e.g. "http://localhost:8080/jolokia"). You should see the version information about the agent itself.
The next step would be to explore the JMX namespace, either with the browser (and operation "list" like in http://localhost:8080/jolokia/list , but that's tedious) or with a client like j4psh or hawt.io. Hopefully you will find the MBeans of your webapp you are looking for.
I'm currently having 2 Weblogic admin servers in 2 different domains created on the same machine.
I want to convert one of the admin server to a managed server and then use them together to deploy a Java application. Is this feasible? If yes, how?
I'm currently using Weblogic Server 10.3.
PS: I'm quite new to Weblogic domain creation and administration. Please revert for any more details needed.
The simple answer is no, however, adding a managed server to a domain is extremely simple. See the documentation here. When deploying your application you'll need to target both servers or create a cluster (also very easy), add both machines to it and give the cluster name as the target.
Note, it is generally not concidered best practice to target applications to the Admin server (although it's fine when you're developing on your local machine). If you have the resources available on your environment, you could create two managed servers and put them in a cluster. Depending on the configuration of your Admin server, you may be able to reduce it's size if memory is tight.
I am developing an web app using java/j2ee as middle ware and Mysql 5.1 as database. I have to deploy it on AWS-EC2 server.
My questions are:
How do I create the build
How do I deploy on ec2 server?
I am using Apache Tomcat-6. Should I use any other server like Apache2 as web-server?
Use WTP to create a Dynamic Web Module project.
Use AWS Toolkit for Eclipse
That's pretty terse, but you'll need so many more details that it's pointless to list them here. Read the docs, then come back with specific questions :)
Whether you need Apache2 in front of Tomcat depends on your requirements. If you need it you'll know it :) Things that you might want to punt off on Apache2:
SSL
Static content
URL rewriting
If you are just planning to do every thing manually. You should read this manual http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/
Basically,
You need to create an AMI instance of platform of your choice. (Win/Unix-based).
Configure it with the software that you need. In your case, Tomcat-6 and MySQL-5.1. Configure them. Set Schema etc.
Upload your WAR file to the instance and deploy to Tomcat-6.
Make sure Tomcat port (8080 or whatever you've configured) is open. You can configure this from AWS console's Security Group setting.
Use the instance's Public DNS to access your app. Public DNS can be found from AWS console.
There are many freely available, pre-configured AMI available. Since your setting is one of the most common one. I am sure you will get one and skip Step#2.
right now I have the following architecture built with classic asp and visual basic 6
I have a COM+ component developed in VB6 which connects to the dabatase. I set the DB conf thru an .udl file configured with integrated security.
At the web server (IIS) I register the componente with the com+ manager, and configure it to be run under an account name, something like mydomain\appAccount...
in sql 2005 I give the appropiate permissions the mydomain\appAccount
from asp, I just use the component with server.createobject...
I'd like to develop a similar solution with java, the question(s) is(are) the following:
is it possible?
how can I configure a domain account to connect to a sql server 2005 db?
where should I store the db conf? and where should I configure the domain account? in tomcat / jetty configuration?
I'd like the solution to be as simple and straight forward as possible (I'm trying to avoid things like glassfish or jboss)
well, thanks a lot...
What you'll need to do is make sure that the Tomcat JVM process is being executed by the user with the trusted connection to the database.
Then you'll need to configure the data source in Tomcat, per Bhushan's answer.
The following MSDN article details how you set up the data source to use integrated security:
http://msdn.microsoft.com/en-us/library/ms378428.aspx
So this is a real tough issue, and I'm going through the same problems right now. I haven't solved impersonation within an app server yet, but my team is getting close.
So far, we've been successful in Authenticating a user against a Domain Controller with Kerberos. Both the SourceForge SPNEGO and Spring Security Kerberos Extension have been very helpful in that regard. We have also been able to successful impersonate the process running a Java application when connecting to SQL Server. The real problem is impersonation via delegation, since it requires you to obtain a Kerberos ticket that can be delegated to another service. This is the issue we are currently working on.
If you are going to impersonate a user in SQL Server, you've got to do it using NTLM or Kerberos. Kerberos offers the best security, and to be quite honest, we haven't even bothered to try using NTLM. There are two JDBC drivers (that I know of) that will allow you to connect to SQL Server using a Domain account: jTDS and DataDirect JDBC. jTDS is a Type-2 JDBC driver, which means it relies on a native library to grab credentials for the user. jTDS will only impersonate the user running the process, and will not allow you to impersonate other accounts (also, it can only do this on Windows). The DataDirect driver (Commercial) is a Type-4 driver, which means it's a pure Java implementation (and will work on *nix). This is the driver we are using and its working great.
If I get a solution working, I'm going to post it because I think a lot of people in the community are hurting on this issue.
Good Luck!
Check this tomcat documentation about how to configure a datasource.
http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html