Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Basic Administration Oracle Solaris 10 1/13 Information Library |
1. Oracle Solaris Management Tools (Road Map)
2. Working With the Solaris Management Console (Tasks)
3. Working With the Oracle Java Web Console (Tasks)
What's New in Administering the Oracle Java Web Console?
Oracle Java Web Console Server Management
Applications That Are Available to the Oracle Java Web Console
Oracle Java Web Console (Overview)
What Is the Oracle Java Web Console?
Oracle Java Web Console Management Commands
Getting Started With the Oracle Java Web Console (Task Map)
Getting Started With the Oracle Java Web Console
How to Start Applications From the Oracle Java Web Console's Launch Page
How to Start the Console Service
How to Enable the Console Service to Run at System Start
How to Stop the Console Service
How to Disable the Console Service
Configuring the Oracle Java Web Console
How to Change Oracle Java Web Console Properties
Oracle Java Web Console User Identity
Using the Console Debug Trace Log
Troubleshooting the Oracle Java Web Console Software (Task Map)
Troubleshooting the Oracle Java Web Console Software
Checking Console Status and Properties
How to Check if the Console is Running and Enabled
How to List Console Resources and Properties
Problems Accessing the Console
Problems with Application Registration
How to Determine if an Application is a Legacy Application
How to List Deployed Applications
How to Register a Legacy Application With the Oracle Java Web Console
How to Unregister a Legacy Application From the Oracle Java Web Console
How to Register a Current Application With the Oracle Java Web Console
How to Unregister a Current Application from the Oracle Java Web Console
Oracle Java Web Console Reference Information
Oracle Java Web Console Security Considerations
Access to the Oracle Java Web Console
Access to Applications in the Oracle Java Web Console
Application Access to Remote Systems
Internal Passwords That Are Used in the Console
Specifying Authorizations With the authTypes Tag
Enabling Remote Access to the Oracle Java Web Console
How to Enable Remote Access to the Oracle Java Web Console
Disabling Remote Access to the Oracle Java Web Console
How to Disable Remote Access to the Oracle Java Web Console
4. Managing User Accounts and Groups (Overview)
5. Managing User Accounts and Groups (Tasks)
6. Managing Client-Server Support (Overview)
7. Managing Diskless Clients (Tasks)
8. Introduction to Shutting Down and Booting a System
9. Shutting Down and Booting a System (Overview)
10. Shutting Down a System (Tasks)
11. Modifying Oracle Solaris Boot Behavior (Tasks)
12. Booting an Oracle Solaris System (Tasks)
13. Managing the Oracle Solaris Boot Archives (Tasks)
14. Troubleshooting Booting an Oracle Solaris System (Tasks)
15. x86: GRUB Based Booting (Reference)
16. x86: Booting a System That Does Not Implement GRUB (Tasks)
17. Working With Oracle Configuration Manager
18. Managing Services (Overview)
20. Managing Software (Overview)
21. Managing Software With Oracle Solaris System Administration Tools (Tasks)
22. Managing Software by Using Oracle Solaris Package Commands (Tasks)
This reference section includes the following topics:
There are several security considerations to keep in mind when you use applications that are in the Oracle Java Web Console.
These security considerations include the following:
Access to the Oracle Java Web Console – Whether you can connect to the console through a browser.
Access to applications – Whether you can see a particular application in the Oracle Java Web Console's launch page.
Application permissions – The levels of permissions that you must have to run parts or all of an application.
Application access to remote systems – How security credentials relate to remote systems.
Internal passwords used in the console - Changing the default passwords that are used internally in the console, starting with the Solaris 10 11/06 release.
Permissions to the web console launcher application are usually open so that any valid user can log in. However, you can restrict access to the console by specifying the rights in the authTypes tag in the web console's app.xml file, which is located in the /usr/share/webconsole/webapps/console/WEB-INF directory. For more information, see Specifying Authorizations With the authTypes Tag.
Some system configurations are set up to be very secure, so that attempts to connect from a remote system to the URLs of the console or registered applications are refused. If your system is configured to prevent remote access, when you try to access the console as https://hostname.domain:6789, your browser displays a message such as:
Connect to hostname.domain:6789 failed (Connection refused)
The SMF profile in effect on the system might be restricting access. See SMF Profiles for more information about profiles. See Enabling Remote Access to the Oracle Java Web Console for a procedure to allow access to the console from remote systems.
After you successfully log in to the web console, you might not automatically have access to all of the applications that are registered in that console. Typically, applications are installed so that all users can see them in the console launch page. As an administrator, you can grant and restrict access to applications.
To restrict access to an application, specify the rights in the authTypes tag, which is in the application's app.xml file. You can find the application's app.xml file in the installation-location/WEB-INF/ subdirectory. Typically, this directory would be located in /usr/share/webconsole/webapps/ app-context-name/WEB-INF.
If the application files are not in the usual location, you can locate the files by using the following command:
wcadmin list --detail -a
This command lists each deployed application, showing when it was deployed and the path to the application's base directory. The app.xml file is located in the subdirectory WEB-INF within the base directory.
For more information, see Specifying Authorizations With the authTypes Tag.
If you can see an application's link on the Oracle Java Web Console's launch page, you can run that application. However, an application might make additional authorization checks based upon the authenticated user or role identity. These checks are not controlled by the authTypes tag, but are explicitly coded into the application itself. For example, an application might grant read access to all authenticated users, but restrict update access to a few users or a few roles.
Having all the appropriate credentials does not guarantee that you can use an application to manage every system within the application's scope of operation. Each system that you administer by using the Oracle Java Web Console application has its own security domain. Having read-and-write permissions on the web console system does not guarantee that those credentials are automatically sufficient to administer any other remote system.
In general, access to remote systems depends on how the security is implemented in the web application. Typically, web applications make calls to agents that perform actions on behalf of the applications. These applications must be authenticated by the agents based on their web console credentials and the credentials by which they are known on the agent system. Depending upon how this agent authentication is done, an authorization check might also be made on the agent itself, based upon this authenticated identity.
For example, in web applications that use remote WBEM agents, authentication typically uses the user or role identity that initially authenticated to the Oracle Java Web Console. If this authentication fails on that agent system, access to that system is denied in the web application. If authentication succeeds on that agent system, access might still be denied if the agent makes an access control check and denies access there. Most applications are written so that the authentication and authorization checks on the agent never fail if you have been successfully authenticated on the web console and assumed the correct role.
Starting with the Solaris 10 11/06 release, the Oracle Java Web Console uses several password-protected internal user names to perform administrative tasks on the underlying web server, and to encrypt key store and trust store files. The passwords are set to initial values to enable the console to be installed. To reduce the possibility of a security breach, you should change the passwords after installation. See Changing Internal Passwords for Oracle Java Web Console
While most system management web applications do not require any administrator intervention to use the authTypes tag, in some cases, you might need to change the values of this tag. The authTypes tag contains a set of information that describes the level of authorization that is required for a user to view an application in the Oracle Java Web Console. The web console determines if a user is authorized to see a particular application, based on the authorization requirements in the application's app.xml file. Each application can determine whether a user must have proper authorization to run the application. This determination might be made as part of the application installation process. Or, you might need to supply the information, depending on your own security requirements. The product documentation for the application should contain the information that is necessary to determine whether you need to specify a particular permission.
You can nest several authType tags within the authTypes tag.
The authTypes tag must contain at least one authType tag that provides the following necessary information:
Type of authorization check to perform
Permission subclass name
Parameters that are required to instantiate the Permission subclass
In the following example, the authType tag has one attribute, name. The required name attribute is the name of the authorization service type. Different authorization types might require different values for the classType and permissionParam tags.
<authTypes> <authType name="SolarisRbac"> <classType> com.sun.management.solaris.RbacPermission </classType> <permissionParam name="permission"> solaris.admin.serialmgr.read </permissionParam> </authType> </authTypes>
The following table shows the tags that can be nested within an authType tag.
Table 3-1 Nested authType Tags
|
The authTypes tag and nested authType tags are required elements in the app.xml file. If you want to register an application that is available to anyone, specify the authType tag with no content, as shown in the following example.
<authTypes> <authType name=""> <classType></classType> <permissionParam name=""></permissionParam> </authType> </authTypes>
If you can only connect to the console by logging into the system that is running the console, and then using the URL, https://localhost:6789, the system is using a configuration that prevents remote access. Starting with the Solaris 10 11/06 release, you can enable remote access only to the console, while leaving the other access restrictions in place, by using the following procedure:
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# svccfg -s svc:/system/webconsole setprop options/tcp_listen = true # smcwebserver restart
You can prevent users from connecting to the console from remote systems. Starting with the Solaris 10 11/06 release, you can disable remote access only to the console, while leaving the other access permissions in place, by using the following procedure:
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# svccfg -s svc:/system/webconsole setprop options/tcp_listen = false # smcwebserver restart
After the restart the console now only responds to a browser on the same system as the console server process. You cannot use a proxy in the browser, only a direct connection. You can also use the https://localhost:6789/ URL to access the console.
Starting with the Solaris 10 11/06 release, the console uses some internal user names and passwords. The console's internal user names and passwords are used only by the console framework, and are never used directly by a user or system administrator. However, if the passwords were known, a malicious user could potentially interfere with the console applications. To reduce the possibility of such a security breach, you should change the passwords. You do not need to remember the new passwords, because the software uses them invisibly.
The passwords are known as the administrative password, keystore password, and truststore password. You do not need to know the default initial values in order to change the passwords. This procedure explains how to change all three passwords with separate commands.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
# wcadmin password -a
You are prompted to enter the new password twice. The password should be 8 to 32 characters.
# wcadmin password -k
You are prompted to enter the new password twice. The password should be 8 to 32 characters.
# wcadmin password -t
You are prompted to enter the new password twice. The password should be 8 to 32 characters.