JBOSS EAP AMI OVERVIEW

SHADOW-SOFT, LLC

8302 DUNWOODY PL #100, ATLANTA, GA 30350

VERSION .

NOVEMBER ,

/ / JBoss EAP AMI O e ie

TABLE OF CONTENTS

I t odu io ............................................................................................................................................................................

Ope ai g S ste Defaults ......................................................................................................................................................

Use s / Pass o ds ...............................................................................................................................................................

SSH Co igu aio ...............................................................................................................................................................

Files ste Co igu aio .....................................................................................................................................................

SELi u Poli ......................................................................................................................................................................

SELi u Poli Status .......................................................................................................................................................

E a led Se i es ...............................................................................................................................................................

Fi e all Co igu aio .......................................................................................................................................................

E i o e t Va ia les ......................................................................................................................................................

JBoss EAP Defaults .............................................................................................................................................................

Ja a Ve sio .......................................................................................................................................................................

Default JVM Tu i g ...........................................................................................................................................................

Heap Size .......................................................................................................................................................................

Ga age Colle to Algo ith ........................................................................................................................................

Ne Size ........................................................................................................................................................................

Vault Co igu aio ...........................................................................................................................................................

Ke sto e .........................................................................................................................................................................

Vault ..............................................................................................................................................................................

Ad i Use a e / Pass o d ............................................................................................................................................

Po t Co igu aio .............................................................................................................................................................

JON Age t I stallaio .......................................................................................................................................................

Ope ai g Mode ................................................................................................................................................................

/ / JBoss EAP AMI O e ie

INTRODUCTION

This guide depi ts the o igu aio of Red Hat E te p ise Li u a d JBoss E te p ise Appli aio Plafo EAP i stalled o the AMI a aila le th ough the A azo Ma ketpla e. All ha ges des i ed e e ade to i p o e the se u it , pe fo a e a d s ala ilit of the p o ided e i o e t. The follo i g se io s ill des i e i detail all the ha ges. Refe e e i st u io s asso iated ith aki g ha ges to the default o igu aio ill p o ided ithi ea h

i di idual su atego .

/ / JBoss EAP AMI O e ie

OPERATING SYSTEM DEFAULTS

This dist i uio of JBoss EAP has ee deplo ed o Red Had E te p ise Li u . ith a aseli e pa kage i stallaio fo a i frastructure ser er. The follo i g se io s outli e the aseli e ope ai g s ste o igu aio s i luded ith this dist i uio .

USERS / PASSWORDS

The default use a ou t i luded ith the AMI is a ed ec2-user. B default, this a ou t does ot o tai a pass o d, has ee g a ted sudo p i ileges a d has ee autho ized fo SSH logi . To ake ha ges to this use a ou t, please efe to the usage of the pass d o a d.

The oot a ou t is u e tl disa led a d a ot e a essed ia SSH. To e a le the a ou t, please efe to the usage of the pass d o a d.

SSH CONFIGURATION

To SSH i to the i sta e, a SSH ke is e ui ed fo the spe iied use e -use a d a espe i e AWS se u it g oup ust e added to allo o e io s o po t f o ou u e t IP add ess. The SSH ke ill e p epopulated

AWS du i g i sta e eaio . Fo o e i fo aio o ho to dei e a AWS se u it g oup fo a agi g a ess, see the follo i g:

AWS: A azo EC Se u it G oups fo Li u I sta es

A pass o d is ot e ui ed fo SSH a ess. Fo o e i fo aio o ho to ake ha ges to these sei gs, see the follo i g:

Li u : sshd_ o ig - Li u a page

FILESYSTEM CONFIGURATION

The s ste as uilt o the GPT ile pa iio i g fo at ith a M oot pa iio . Upo deplo e t, the ile s ste ill auto-s ale the pa iio i g to at h the allo ated sto age spa e. This is a o plished th ough the usage of cloud-

i it, gro part a d gfdisk.

Fo o e i fo aio o ho to ake ha ges to these su -s ste s, efe to the follo i g do u e ts:

Cloud-i it

G o pa t

SELINUX POLICY

SELi u is e a led default. The follo i g ta le depi ts the list of poli ies hi h ha e ee e a led/disa led. To he k the status of ou s ste , please efe to the usage of the sestatus o a d.

SELINUX POLICY STATUS

Policy Booleans

abrt_anon_write off

abrt_handle_event off

abrt_upload_watch_anon_write on

/ / JBoss EAP AMI O e ie

antivirus_can_scan_system off

antivirus_use_jit off

auditadm_exec_content on

authlogin_nsswitch_use_ldap off

authlogin_radius off

authlogin_yubikey off

awstats_purge_apache_log_files off

boinc_execmem on

cdrecord_read_content off

cluster_can_network_connect off

cluster_manage_all_files off

cluster_use_execmem off

cobbler_anon_write off

cobbler_can_network_connect off

cobbler_use_cifs off

cobbler_use_nfs off

collectd_tcp_network_connect off

condor_tcp_network_connect off

conman_can_network off

cron_can_relabel off

cron_system_cronjob_use_shares off

cron_userdomain_transition on

cups_execmem off

cvs_read_shadow off

daemons_dump_core off

daemons_enable_cluster_mode off

daemons_use_tcp_wrapper off

daemons_use_tty off

/ / JBoss EAP AMI O e ie

dbadm_exec_content on

dbadm_manage_user_files off

dbadm_read_user_files off

deny_execmem off

deny_ptrace off

dhcpc_exec_iptables off

dhcpd_use_ldap off

domain_fd_use on

domain_kernel_load_modules off

entropyd_use_audio on

exim_can_connect_db off

exim_manage_user_files off

exim_read_user_files off

fcron_crond off

fenced_can_network_connect off

fenced_can_ssh off

fips_mode on

ftp_home_dir off

ftpd_anon_write off

ftpd_connect_all_unreserved off

ftpd_connect_db off

ftpd_full_access off

ftpd_use_cifs off

ftpd_use_fusefs off

ftpd_use_nfs off

ftpd_use_passive_mode off

git_cgi_enable_homedirs off

git_cgi_use_cifs off

/ / JBoss EAP AMI O e ie

git_cgi_use_nfs off

git_session_bind_all_unreserved_ports off

git_session_users off

git_system_enable_homedirs off

git_system_use_cifs off

git_system_use_nfs off

gitosis_can_sendmail off

glance_api_can_network off

glance_use_execmem off

glance_use_fusefs off

global_ssp off

gluster_anon_write off

gluster_export_all_ro off

gluster_export_all_rw on

gpg_web_anon_write off

gssd_read_tmp on

guest_exec_content on

haproxy_connect_any off

httpd_anon_write off

httpd_builtin_scripting on

httpd_can_check_spam off

httpd_can_connect_ftp off

httpd_can_connect_ldap off

httpd_can_connect_mythtv off

httpd_can_connect_zabbix off

httpd_can_network_connect off

httpd_can_network_connect_cobbler off

httpd_can_network_connect_db off

/ / JBoss EAP AMI O e ie

httpd_can_network_memcache off

httpd_can_network_relay off

httpd_can_sendmail off

httpd_dbus_avahi off

httpd_dbus_sssd off

httpd_dontaudit_search_dirs off

httpd_enable_cgi on

httpd_enable_ftp_server off

httpd_enable_homedirs off

httpd_execmem off

httpd_graceful_shutdown on

httpd_manage_ipa off

httpd_mod_auth_ntlm_winbind off

httpd_mod_auth_pam off

httpd_read_user_content off

httpd_run_ipa off

httpd_run_preupgrade off

httpd_run_stickshift off

httpd_serve_cobbler_files off

httpd_setrlimit off

httpd_ssi_exec off

httpd_sys_script_anon_write off

httpd_tmp_exec off

httpd_tty_comm off

httpd_unified off

httpd_use_cifs off

httpd_use_fusefs off

httpd_use_gpg off

/ / JBoss EAP AMI O e ie

httpd_use_nfs off

httpd_use_openstack off

httpd_use_sasl off

httpd_verify_dns off

icecast_use_any_tcp_ports off

irc_use_any_tcp_ports off

irssi_use_full_network off

kdumpgui_run_bootloader off

kerberos_enabled on

ksmtuned_use_cifs off

ksmtuned_use_nfs off

logadm_exec_content on

logging_syslogd_can_sendmail off

logging_syslogd_run_nagios_plugins off

logging_syslogd_use_tty on

login_console_enabled on

logrotate_use_nfs off

logwatch_can_network_connect_mail off

lsmd_plugin_connect_any off

mailman_use_fusefs off

mcelog_client off

mcelog_exec_scripts on

mcelog_foreground off

mcelog_server off

minidlna_read_generic_user_content off

mmap_low_allowed off

mock_enable_homedirs off

mount_anyfile on

/ / JBoss EAP AMI O e ie

mozilla_plugin_bind_unreserved_ports off

mozilla_plugin_can_network_connect off

mozilla_plugin_use_bluejeans off

mozilla_plugin_use_gps off

mozilla_plugin_use_spice off

mozilla_read_content off

mpd_enable_homedirs off

mpd_use_cifs off

mpd_use_nfs off

mplayer_execstack off

mysql_connect_any off

nagios_run_pnp4nagios off

nagios_run_sudo off

named_tcp_bind_http_port off

named_write_master_zones off

neutron_can_network off

nfs_export_all_ro on

nfs_export_all_rw on

nfsd_anon_write off

nis_enabled off

nscd_use_shm on

openshift_use_nfs off

openvpn_can_network_connect on

openvpn_enable_homedirs on

openvpn_run_unconfined off

pcp_bind_all_unreserved_ports off

pcp_read_generic_logs off

piranha_lvs_can_network_connect off

/ / JBoss EAP AMI O e ie

polipo_connect_all_unreserved off

polipo_session_bind_all_unreserved_ports off

polipo_session_users off

polipo_use_cifs off

polipo_use_nfs off

polyinstantiation_enabled off

postfix_local_write_mail_spool on

postgresql_can_rsync off

postgresql_selinux_transmit_client_label off

postgresql_selinux_unconfined_dbadm on

postgresql_selinux_users_ddl on

pppd_can_insmod off

pppd_for_user off

privoxy_connect_any on

prosody_bind_http_port off

puppetagent_manage_all_files off

puppetmaster_use_db off

racoon_read_shadow off

rsync_anon_write off

rsync_client off

rsync_export_all_ro off

rsync_full_access off

samba_create_home_dirs off

samba_domain_controller off

samba_enable_home_dirs off

samba_export_all_ro off

samba_export_all_rw off

samba_load_libgfapi off

/ / JBoss EAP AMI O e ie

samba_portmapper off

samba_run_unconfined off

samba_share_fusefs off

samba_share_nfs off

sanlock_use_fusefs off

sanlock_use_nfs off

sanlock_use_samba off

saslauthd_read_shadow off

secadm_exec_content on

secure_mode off

secure_mode_insmod off

secure_mode_policyload off

selinuxuser_direct_dri_enabled on

selinuxuser_execheap off

selinuxuser_execmod on

selinuxuser_execstack on

selinuxuser_mysql_connect_enabled off

selinuxuser_ping on

selinuxuser_postgresql_connect_enabled off

selinuxuser_rw_noexattrfile on

selinuxuser_share_music off

selinuxuser_tcp_server off

selinuxuser_udp_server off

selinuxuser_use_ssh_chroot off

sftpd_anon_write off

sftpd_enable_homedirs off

sftpd_full_access off

sftpd_write_ssh_home off

/ / JBoss EAP AMI O e ie

sge_domain_can_network_connect off

sge_use_nfs off

smartmon_3ware off

smbd_anon_write off

spamassassin_can_network off

spamd_enable_home_dirs on

squid_connect_any on

squid_use_tproxy off

ssh_chroot_rw_homedirs off

ssh_keysign off

ssh_sysadm_login off

staff_exec_content on

staff_use_svirt off

swift_can_network off

sysadm_exec_content on

telepathy_connect_all_ports off

telepathy_tcp_connect_generic_network_ports on

tftp_anon_write off

tftp_home_dir off

tmpreaper_use_nfs off

tmpreaper_use_samba off

tor_bind_all_unreserved_ports off

tor_can_network_relay off

unconfined_chrome_sandbox_transition on

unconfined_login on

unconfined_mozilla_plugin_transition on

unprivuser_use_svirt off

use_ecryptfs_home_dirs off

/ / JBoss EAP AMI O e ie

use_fusefs_home_dirs off

use_lpd_server off

use_nfs_home_dirs off

use_samba_home_dirs off

user_exec_content on

varnishd_connect_any off

virt_read_qemu_ga_data off

virt_rw_qemu_ga_data off

virt_sandbox_use_all_caps on

virt_sandbox_use_audit on

virt_sandbox_use_mknod off

virt_sandbox_use_netlink off

virt_sandbox_use_nfs off

virt_sandbox_use_samba off

virt_sandbox_use_sys_admin off

virt_transition_userdomain off

virt_use_comm off

virt_use_execmem off

virt_use_fusefs off

virt_use_nfs off

virt_use_rawip off

virt_use_samba off

virt_use_sanlock off

virt_use_usb on

virt_use_xserver off

webadm_manage_user_files off

webadm_read_user_files off

wine_mmap_zero_ignore off

/ / JBoss EAP AMI O e ie

xdm_bind_vnc_tcp_port off

xdm_exec_bootloader off

xdm_sysadm_login off

xdm_write_home off

xen_use_nfs off

xend_run_blktap on

xend_run_qemu on

xguest_connect_network on

xguest_exec_content on

xguest_mount_media on

xguest_use_bluetooth on

xserver_clients_write_xshm off

xserver_execmem off

xserver_object_manager off

zabbix_can_network off

zarafa_setrlimit off

zebra_write_config off

zoneminder_anon_write off

zoneminder_run_sudo off

Fo i fo aio o ho to ake SELi u poli ha ges, please efe to the follo i g:

Red Hat: RHEL : SELi u Use s a d Ad i ist ato s Guide

ENABLED SERVICES

The follo i g ta le depi ts the list of se i es hi h ha e ee e a led. To he k the status of ou s ste , efe to the usage of the s ste ctl o a d.

AMI Services State

UNIT STATE

abrt-ccpp.service enabled

/ / JBoss EAP AMI O e ie

abrt-oops.service enabled

abrt-vmcore.service enabled

abrt-xorg.service enabled

abrtd.service enabled

atd.service enabled

auditd.service enabled

brandbot.service static

chrony-dnssrv@.service static

chronyd.service enabled

cloud-config.service enabled

cloud-final.service enabled

cloud-init-local.service enabled

cloud-init.service enabled

container-getty@.service static

crond.service enabled

dbus-org.fedoraproject.FirewallD1.service enabled

dbus-org.freedesktop.hostname1.service static

dbus-org.freedesktop.locale1.service static

dbus-org.freedesktop.login1.service static

dbus-org.freedesktop.machine1.service static

dbus-org.freedesktop.network1.service invalid

/ / JBoss EAP AMI O e ie

dbus-org.freedesktop.timedate1.service static

dbus.service static

dmraid-activation.service enabled

dracut-cmdline.service static

dracut-initqueue.service static

dracut-mount.service static

dracut-pre-mount.service static

dracut-pre-pivot.service static

dracut-pre-trigger.service static

dracut-pre-udev.service static

dracut-shutdown.service static

emergency.service static

firewalld.service enabled

fprintd.service static

fstrim.service static

getty@.service enabled

halt-local.service static

initrd-cleanup.service static

initrd-parse-etc.service static

initrd-switch-root.service static

initrd-udevadm-cleanup-db.service static

/ / JBoss EAP AMI O e ie

irqbalance.service enabled

jbossas.service enabled

kdump.service enabled

kmod-static-nodes.service static

ldconfig.service static

libstoragemgmt.service enabled

lvm2-monitor.service enabled

lvm2-pvscan@.service static

mdadm-grow-continue@.service static

mdadm-last-resort@.service static

mdmon@.service static

mdmonitor.service enabled

messagebus.service static

microcode.service enabled

plymouth-switch-root.service static

polkit.service static

postfix.service enabled

quotaon.service static

rc-local.service static

rescue.service static

rhel-autorelabel-mark.service static

/ / JBoss EAP AMI O e ie

rhel-autorelabel.service static

rhel-configure.service static

rhel-import-state.service static

rhel-loadmodules.service static

rhel-readonly.service static

rhsmcertd.service enabled

rngd.service enabled

rsyncd@.service static

rsyslog.service enabled

smartd.service enabled

sshd-keygen.service static

sshd.service enabled

sshd@.service static

sysstat.service enabled

systemd-ask-password-console.service static

systemd-ask-password-plymouth.service static

systemd-ask-password-wall.service static

systemd-backlight@.service static

systemd-binfmt.service static

systemd-firstboot.service static

systemd-fsck-root.service static

/ / JBoss EAP AMI O e ie

systemd-fsck@.service static

systemd-halt.service static

systemd-hibernate-resume@.service static

systemd-hibernate.service static

systemd-hostnamed.service static

systemd-hwdb-update.service static

systemd-hybrid-sleep.service static

systemd-initctl.service static

systemd-journal-catalog-update.service static

systemd-journal-flush.service static

systemd-journald.service static

systemd-kexec.service static

systemd-localed.service static

systemd-logind.service static

systemd-machine-id-commit.service static

systemd-machined.service static

systemd-modules-load.service static

systemd-poweroff.service static

systemd-quotacheck.service static

systemd-random-seed.service static

systemd-readahead-collect.service enabled

/ / JBoss EAP AMI O e ie

systemd-readahead-done.service static

systemd-readahead-drop.service enabled

systemd-readahead-replay.service enabled

systemd-reboot.service static

systemd-remount-fs.service static

systemd-rfkill@.service static

systemd-shutdownd.service static

systemd-suspend.service static

systemd-sysctl.service static

systemd-timedated.service static

systemd-tmpfiles-clean.service static

systemd-tmpfiles-setup-dev.service static

systemd-tmpfiles-setup.service static

systemd-udev-settle.service static

systemd-udev-trigger.service static

systemd-udevd.service static

systemd-update-done.service static

systemd-update-utmp-runlevel.service static

systemd-update-utmp.service static

systemd-user-sessions.service static

systemd-vconsole-setup.service static

/ / JBoss EAP AMI O e ie

teamd@.service static

tuned.service enabled

Fo i fo aio o ho to ake ha ges to se i es, please efe to the follo i g:

Red Hat: RHEL : Ma agi g Se i es ith S ste D

FIREWALL CONFIGURATION

AWS a ages et o k a ess th ough the usage of se u it g oups. As su h, the ire alld se i e is disa led default. Fo o e i fo aio o ho to dei e a AWS se u it g oup fo a agi g a ess, see the follo i g:

AWS: A azo EC Se u it G oups fo Li u I sta es

ENVIRONMENT VARIABLES

As pa t of the i iial i stallaio , the follo i g e i o e t a ia les ha e ee dei ed i /et /e i o e t.

EAP_HOME = /opt/ h/eap / oot/us /sha e/ ildl

STANDALONE_SH = /opt/ h/eap / oot/us /sha e/ ildl / i /sta dalo e.sh

JBOSS_SERVICE = eap -sta dalo e

/ / JBoss EAP AMI O e ie

JBOSS EAP DEFAULTS

The follo i g se io s outli e the default s ste o igu aio s asso iated ith JBoss EAP a d Ja a.

JAVA VERSION

As pa t of this deplo e t, Ope JDK e sio . . _ has ee deplo ed a d o igu ed o the s ste . The pa kage as i stalled f o Red Hat’s RHEL Se e RPM Reposito . Fo i fo aio o the latest featu es i luded ith Ja a , please efe to the follo i g:

JDK Featu es

DEFAULT JVM TUNING

Pe fo a e tu i g is u i ue to ea h i stallaio e ause of i te al a d e te al fa to s. It is ot a goal ut a li al p o ess of pe fo a e o ito i g, o igu aio ha ges a d e ie . All the follo i g o igu aio s a e o ga ized a ou d est p a i es of heap sizi g a d a age e t.

HEAP SI)E

Heap sizes a e di ided i to sei g a app op iate i iial heap size -X s a d a a i u heap size -X . The follo i g ta le p o ides e a ples of e o sizes ased o i sta e t pes.

I sta ce Type CPU Me ory GB Heap Size GB

t .s all

. ediu .

t . ediu

.la ge .

t .la ge

. la ge + larger

GARBAGE COLLECTOR ALGORITHM

A Co u e t Colle to as used fo ga age olle io ased o ased p a i es a d e ha i g pe fo a e. Co u e t Colle to -XX:+UseCo Ma kS eepGC pe fo s ost of its o k o u e tl usi g a si gle ga age olle to th ead that u s ith the appli aio th eads si ulta eousl . It e a les the VM’s ostl o u e t ga age olle to . It also auto-e a les -XX:+UsePa Ne GC hi h e a les a uli-th eaded, ou g ge e aio ga age olle to .

NEW SI)E

Whe sei g -XX:Ma Ne Size ou eed to take i to a ou t that the ou g ge e aio is o l o e pa t of the heap a d that the la ge e hoose its size the s alle the old ge e aio ill e. Fo sta ilit easo s, it is ot allo ed to hoose a ou g ge e aio size la ge tha the old ge e aio , e ause i the o st ase it a e o e e essa fo

a GC to o e all o je ts f o the ou g ge e aio i to the old ge e aio . Thus -X / is a uppe ou d fo -XX:Ma Ne Size.

We egulate the e ge e aio size sei g the Ma Ne Size a d Ne Size e ual.

Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g:

O a le: Tu i g JVMs

/ / JBoss EAP AMI O e ie

VAULT CONFIGURATION

KEYSTORE

Keysize Validity Storetype Keyalg Directory

da s JCEKS AES $EAP_HOME/ ault / ault.ke sto e

VAULT

Salt Ofset Value Iteraio Vault Directory Vault Co iguraio I fo Directory

a d $EAP_HOME/ ault/ $EAP_HOME/ ault/ ault.i fo

To ake ha ges to sto ed alues ithi ault, see Red Hat do u e taio .

ADMIN USERNAME / PASSWORD

The default ad i ist ai e use i luded ith this dist i uio is la eled ad i ith a pass o d e ual to the u e t i sta e ID. It is highl e o e ded that the pass o d e ha ged to a o e se u e e t usi g the add-user o a d.

Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g li k:

Red Hat: Chapte Use Ma age e t

PORT CONFIGURATION

The default po ts of JBoss EAP a e apped as follo s:

Po t I te fa e Se i e

. . . Appli aio Se e

. . . Ma age e t Se e

. . . Ma age e t CLI

Fo i fo aio o ho to o igu e the so ket i di gs of JBoss EAP , see the follo i g:

Red Hat: Net o k a d Po t Co igu aio

JON AGENT INSTALLATION

If ou a e looki g to a age JBoss ith ou o op of JBoss ope aio s et o k, please efe to the follo i g fo i stallaio a d o igu aio i st u io s: Red Hat: JON . : Age t I stallaio

OPERATING MODE

JBoss i sta es a e u e tl u i g i sta dalo e ode. The asso iated o igu aio ile fo the i sta e is lo ated at $EAP_HOME/sta dalo e/sta dalo e. l.

Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g:

Red Hat: Gei g Sta ted ith the Ma age e t CLI