000037236 - RSA Adaptive Authentication (on Premise) - Installation pre-requisites for Red Hat JBoss 6.4

Document created by RSA Customer Support Employee on Mar 8, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037236
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
Platform: JBoss 6.4

 
IssueThis article explains all the pre-requisites that needs to be followed for installing RSA Adaptive Authentication (On-Premise) 7.3 on Red Hat JBoss
6.4
ResolutionBefore installing RSA Adaptive Authentication (On-Premise) 7.3 on Red Hat JBoss 6.4, you must do the following:
  1. Install the database JDBC drivers as a module. For instructions, see the JBoss EAP 6 documentation.
  2. Configure the JVM memory settings in the JBOSS_HOME/bin/standalone.conf file to suit your deployment. The following is the minimum setting for JDK:
            JAVA_OPTS="-Xms1024m -Xmx1024m -XX:PermSize=512m -XX:MaxPermSize=1024m"
  3. Disable JSP tag pooling.
    1. In the JBOSS_HOME/standalone/configuration/standalone.xml file, locate the urn:jboss:domain:web:2.2 subsystem.
    2. Add the following lines of code:
       

                  <configuration>
                  <jsp-configuration tag-pooling="false"/>
                  </configuration>
                  for example
                  <subsystem xmlns="urn:jboss:domain:web:2.2"
                  default-virtual-server="default-host" native="false">
                  <connector name="http" protocol="HTTP/1.1" scheme="http"
                  socket-binding="http"/>
                  <virtual-server name="default-host" enable-welcome-root="true">
                  <alias name="localhost"/>
                  <alias name="example.com"/>
                  </virtual-server>
                  <configuration>
                  <jsp-configuration tag-pooling="false"/>
                  </configuration>
                  </subsystem>

                    
  4. There is a performance issue on JBoss 6.4. To avoid the performance issue, do the following:
    1.  a. In the JBOSS_HOME/standalone/configuration/standalone.xml file, locate the urn:jboss:domain:infinispan:1.5 subsystem section:
    2. b. From this section, delete or comment out the following lines:
       

                  <local-cache name="local-web" batching="true">
                  <file-store passivation="false" purge="false"/>
                  </local-cache>


       
      For more information about the issue, go to https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=974549.

       
  5. On JBoss EAP 6.4, if any time-out error occurs during the deployment, set blocking time-out in the JBOSS_HOME/bin/standalone.conf file. Add the following line of code to increase the server time-out:

    JAVA_OPTS="$JAVA_OPTS -Djboss.as.management.blocking.timeout=700"

  6. In the JBOSS_HOME/standalone/configuration/standalone.xml file, locate the urn:jboss:domain:datasources:1.2 subsystem, and add the following lines of code to the drivers section:

                <driver name="driver" module="module">
                <datasource-class>datasource class</datasource-class>
                </driver>
                The following example is for Oracle Database.
                <drivers>
                <driver name="h2" module="com.h2database.h2">
                <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                </driver>
                <driver name="oracle" module="com.oracle.jdbc">
                <datasource-class>oracle.jdbc.OracleDriver</datasource-class>
                </driver>
                </drivers>

                
  7. In the JBOSS_HOME/standalone/configuration/standalone.xml file, locate the urn:jboss:domain:security:1.2 subsystem, and in the datasources section, configure the datasources. For example:
                  

    <datasource jta="true" jndi-name="java:/jdbc/PassmarkToolDB" pool-name="BODB" enabled="true" use-ccm="true" statistics-enabled="false">
                    <connection-url>jdbc:oracle:thin:@XXXX:1521:orcl</connection-url>
                    <driver-class>oracle.jdbc.OracleDriver</driver-class>
                    <driver>oracle</driver>
                    <security>
                    <user-name>username</user-name>
                    <password>password</password>
                    </security>
                    <validation>
                    <validate-on-match>false</validate-on-match>
                    <background-validation>false</background-validation>
                    </validation>
                    <timeout>
                    <set-tx-query-timeout>false</set-tx-query-timeout>
                    <blocking-timeout-millis>0</blocking-timeout-millis>
                    <idle-timeout-minutes>0</idle-timeout-minutes>
                    <query-timeout>0</query-timeout>
                    <use-try-lock>0</use-try-lock>
                    <allocation-retry>0</allocation-retry>
                    <allocation-retry-wait-millis>0</allocation-retry-wait-millis>
                    </timeout>
                    <statement>
                    <share-prepared-statements>false</share-prepared-statements>
                    </statement>
                    </datasource>
                    <datasource jta="true" jndi-name="java:/jdbc/CMDB" pool-name="CMDB" enabled="true" use-ccm="true" statistics-enabled="false">
                    <connection-url>jdbc:oracle:thin:@xxxx:1521:orcl</connection-url>
                    <driver-class>oracle.jdbc.OracleDriver</driver-class>
                    <driver>oracle</driver>
                    <security>
                    <user-name>username</user-name>
                    <password>password</password>
                    </security>
                    <validation>
                    <validate-on-match>false</validate-on-match>
                    <background-validation>false</background-validation>
                    </validation>
                    <timeout>
                    <set-tx-query-timeout>false</set-tx-query-timeout>
                    <blocking-timeout-millis>0</blocking-timeout-millis>
                    <idle-timeout-minutes>0</idle-timeout-minutes>
                    <query-timeout>0</query-timeout>
                    <use-try-lock>0</use-try-lock>
                    <allocation-retry>0</allocation-retry>
                    <allocation-retry-wait-millis>0</allocation-retry-wait-millis>
                    </timeout>
                    <statement>
                    <share-prepared-statements>false</share-prepared-statements>
                    </statement>
                    </datasource>
                    <datasource jta="true" jndi-name="java:/jdbc/PassMarkDB" pool-name="COREDB" enabled="true" use-ccm="true"
                    statistics-enabled="false">
                    <connection-url>jdbc:oracle:thin:@xxxx:1521:orcl</connection-url>
                    <driver-class>oracle.jdbc.OracleDriver</driver-class>
                    <driver>oracle</driver>
                    <security>
                    <user-name>username</user-name>
                    <password>password</password>
                    </security>
                    <validation>
                    <validate-on-match>false</validate-on-match>
                    <background-validation>false</background-validation>
                    </validation>
                    <timeout>
                    <set-tx-query-timeout>false</set-tx-query-timeout>
                    <blocking-timeout-millis>0</blocking-timeout-millis>
                    <idle-timeout-minutes>0</idle-timeout-minutes>
                    <query-timeout>0</query-timeout>
                    <use-try-lock>0</use-try-lock>
                    <allocation-retry>0</allocation-retry>
                    <allocation-retry-wait-millis>0</allocation-retry-wait-millis>
                    </timeout>
                    <statement>
                    <share-prepared-statements>false</share-prepared-statements>
                    </statement>
                    </datasource>


    Note: Include the following datasource only if you are installing the RDP Trojan Protection application.
     

    <datasource jta="true" jndi-name="java:/jdbc/TrojanDB" pool-name="TrojanDB"
                    enabled="true" use-ccm="true" statistics-enabled="false">
                    <connection-url>jdbc:oracle:thin:@xxxxx:orcl</connection-url>
                    <driver-class>oracle.jdbc.OracleDriver</driver-class>
                    <driver>oracle</driver>
                    <security>
                    <user-name>username/user-name>
                    <password>password</password>
                    </security>
                    <validation>
                    <validate-on-match>false</validate-on-match>
                    <background-validation>false</background-validation>
                    </validation>
                    <timeout>
                    <set-tx-query-timeout>false</set-tx-query-timeout>
                    <blocking-timeout-millis>0</blocking-timeout-millis>
                    <idle-timeout-minutes>0</idle-timeout-minutes>
                    <query-timeout>0</query-timeout>
                    <use-try-lock>0</use-try-lock>
                    <allocation-retry>0</allocation-retry>
                    <allocation-retry-wait-millis>0</allocation-retry-wait-millis>
                    </timeout>
                    <statement>
                    <share-prepared-statements>false</share-prepared-statements>
                    </statement>
                    </datasource>

            
    Note: The user name and password should be the application user name and password that you provided during installation.
  • In the JBOSS_HOME/standalone/configuration/standalone.xml file, configure a security domain with the name “aaop-webapps.” Locate the 
    urn:jboss:domain:security:1.2 subsystem, and add the following lines of code tothe security-domains section:

    <security-domain name="aaop-webapps" cache-type="default">
                    <authentication>
                    <login-module code="Remoting"
                    flag="optional">
                    <module-option
                    name="password-stacking" value="useFirstPass"/>
                    </login-module>
                    <login-module code="RealmDirect"
                    flag="required">
                    <module-option
                    name="password-stacking" value="useFirstPass"/>
                    </login-module>
                    </authentication>
                    </security-domain>

                    
  • In the JBOSS_HOME/standalone/configuration/standalone.xml file, configure a work manager.
    1. Locate the urn:jboss:domain:jca:1.1 subsystem, and add a new work manager with the name “OfflineTaskThreadPool,” as follows:
       

      <workmanager name="OfflinetaskThreadPool">
              <short-running-threads
              allow-core-timeout="false">
              <core-threads count="50"/>
              <queue-length count="7000"/>
              <max-threads count="100"/>
              <keepalive-time time="60000"
              unit="seconds"/>
              </short-running-threads>
              </workmanager>

       
    2. Add a new BootstrapContext key named “CREOfflineTaskThreadPool” for the newly created OfflineTaskThreadPool work manager by adding the following lines of code immediately after the OfflineTaskThreadPool work manager configuration:
       

      <bootstrap-contexts>
              <bootstrap-context name="CREOfflineTaskThreadPool" workmanager="OfflinetaskThreadPool"/>
              </bootstrap-contexts>
              c. Locate the urn:jboss:domain:jca:1.1 subsystem, and create two entries for the
              resource adapter, as per the following sample:
              <subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
              <resource-adapters>
              <resource-adapter id="defaultWM">
              <archive>
              wm_resource_adapter.rar
              </archive>
              <transaction-support>NoTransaction</transaction-support>
              <connection-definitions>
              <connection-definition
              class-name="com.rsa.resourceadapter.workmanager.adapter.WMManagedConnectionFactory" jndi-name="java:/defaultWM/WMConnectionFactory"
              pool-name="java:/defaultWM/WMConnectionFactory"/>
              </connection-definitions>
              </resource-adapter>
              <resource-adapter id="OTTPWM">
              <archive>
              wm_resource_adapter.rar
              </archive>
              <bootstrap-context>CREOfflineTaskThreadPool
              </bootstrap-context>
              <transaction-support>NoTransaction</transaction-support>
              <connection-definitions>
              <connection-definition
              class-name="com.rsa.resourceadapter.workmanager.adapter.WMManagedConnec
              tionFactory" jndi-name="java:/OTTPWM/WMConnectionFactory"
              pool-name="java:/OTTPWM/WMConnectionFactory"/>
              </connection-definitions>
              </resource-adapter>
              </resource-adapters>
              </subsystem>

       
       
        Note: Do not change the JNDI names java:/defaultWM/WMConnectionFactory and java:/OTTPWM/WMConnectionFactory. Use the names as is.
  • Configure BSAFE CryptoJ as a Java security provider. In the JAVA_HOME/JRE/lib/security/java.security file of the JRE, add the following line:

    security.provider.x=com.rsa.jsafe.provider.JsafeJCE

  • In the JBOSS_HOME/modules/system/layers/base/sun/jdk/main/module.xml file, add the following tag in the Paths section:

    <path name="sun/security/acl"/>

            
  • 12. Before you deploy the web applications, do the following:
    1. In the artifacts/webapps directory, from any <WebApp>/WEB-INF/lib location, copy hibernate-jpa-2.1-api-1.0.0.Final.jar to <App-Server-Location>/modules/system/layers/base/javax/persistence/api/main.
    2. In the <App-Server-Location>/modules/system/layers/base/javax/persistence/api/main directory, update the module.xml file as follows:
       

      <resources>
              <resource-root path="hibernate-jpa-2.1-api-1.0.0.Final.jar"/>
              </resources>        

       
  • For JBoss 6.4, in the standalone.xml file, remove the following code:
    •   – <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
    •    – <extension module="org.jboss.as.jaxrs"/>
  • Because of an issue with the Red Hat JBoss application server, the ws credentials for AdaptiveAuthentication and AdaptiveAuthenticationAdmin cannot be saved for the Administration Console application.
  • The error “Failed to initialize the context: unable to generate key for seed:” is logged in aa_server.log
Workaround: Run the server with the jboss.vfs.forceVfsJar property set to true. For more information, see the issue JBAS-7882, “Wrong provider code base for security provider included in packed ear” on the Red Hat JBoss website.

Attachments

    Outcomes