VERSION . NOVEMBER î, î ì í ò - Shadow-Soft...í í/ î/ î ì í ò JBoss EAP ó AMI O Àeie...
Transcript of VERSION . NOVEMBER î, î ì í ò - Shadow-Soft...í í/ î/ î ì í ò JBoss EAP ó AMI O Àeie...
JBOSS EAP AMI OVERVIEW
SHADOW-SOFT, LLC
8302 DUNWOODY PL #100, ATLANTA, GA 30350
VERSION .
NOVEMBER ,
/ / JBoss EAP AMI O e ie
TABLE OF CONTENTS
I t odu io ............................................................................................................................................................................
Ope ai g S ste Defaults ......................................................................................................................................................
Use s / Pass o ds ...............................................................................................................................................................
SSH Co igu aio ...............................................................................................................................................................
Files ste Co igu aio .....................................................................................................................................................
SELi u Poli ......................................................................................................................................................................
SELi u Poli Status .......................................................................................................................................................
E a led Se i es ...............................................................................................................................................................
Fi e all Co igu aio .......................................................................................................................................................
E i o e t Va ia les ......................................................................................................................................................
JBoss EAP Defaults .............................................................................................................................................................
Ja a Ve sio .......................................................................................................................................................................
Default JVM Tu i g ...........................................................................................................................................................
Heap Size .......................................................................................................................................................................
Ga age Colle to Algo ith ........................................................................................................................................
Ne Size ........................................................................................................................................................................
Vault Co igu aio ...........................................................................................................................................................
Ke sto e .........................................................................................................................................................................
Vault ..............................................................................................................................................................................
Ad i Use a e / Pass o d ............................................................................................................................................
Po t Co igu aio .............................................................................................................................................................
JON Age t I stallaio .......................................................................................................................................................
Ope ai g Mode ................................................................................................................................................................
/ / JBoss EAP AMI O e ie
INTRODUCTION
This guide depi ts the o igu aio of Red Hat E te p ise Li u a d JBoss E te p ise Appli aio Plafo EAP i stalled o the AMI a aila le th ough the A azo Ma ketpla e. All ha ges des i ed e e ade to i p o e the se u it , pe fo a e a d s ala ilit of the p o ided e i o e t. The follo i g se io s ill des i e i detail all the ha ges. Refe e e i st u io s asso iated ith aki g ha ges to the default o igu aio ill p o ided ithi ea h
i di idual su atego .
/ / JBoss EAP AMI O e ie
OPERATING SYSTEM DEFAULTS
This dist i uio of JBoss EAP has ee deplo ed o Red Had E te p ise Li u . ith a aseli e pa kage i stallaio fo a i frastructure ser er. The follo i g se io s outli e the aseli e ope ai g s ste o igu aio s i luded ith this dist i uio .
USERS / PASSWORDS
The default use a ou t i luded ith the AMI is a ed ec2-user. B default, this a ou t does ot o tai a pass o d, has ee g a ted sudo p i ileges a d has ee autho ized fo SSH logi . To ake ha ges to this use a ou t, please efe to the usage of the pass d o a d.
The oot a ou t is u e tl disa led a d a ot e a essed ia SSH. To e a le the a ou t, please efe to the usage of the pass d o a d.
SSH CONFIGURATION
To SSH i to the i sta e, a SSH ke is e ui ed fo the spe iied use e -use a d a espe i e AWS se u it g oup ust e added to allo o e io s o po t f o ou u e t IP add ess. The SSH ke ill e p epopulated
AWS du i g i sta e eaio . Fo o e i fo aio o ho to dei e a AWS se u it g oup fo a agi g a ess, see the follo i g:
AWS: A azo EC Se u it G oups fo Li u I sta es
A pass o d is ot e ui ed fo SSH a ess. Fo o e i fo aio o ho to ake ha ges to these sei gs, see the follo i g:
Li u : sshd_ o ig - Li u a page
FILESYSTEM CONFIGURATION
The s ste as uilt o the GPT ile pa iio i g fo at ith a M oot pa iio . Upo deplo e t, the ile s ste ill auto-s ale the pa iio i g to at h the allo ated sto age spa e. This is a o plished th ough the usage of cloud-
i it, gro part a d gfdisk.
Fo o e i fo aio o ho to ake ha ges to these su -s ste s, efe to the follo i g do u e ts:
Cloud-i it
G o pa t
SELINUX POLICY
SELi u is e a led default. The follo i g ta le depi ts the list of poli ies hi h ha e ee e a led/disa led. To he k the status of ou s ste , please efe to the usage of the sestatus o a d.
SELINUX POLICY STATUS
Policy Booleans
abrt_anon_write off
abrt_handle_event off
abrt_upload_watch_anon_write on
/ / JBoss EAP AMI O e ie
antivirus_can_scan_system off
antivirus_use_jit off
auditadm_exec_content on
authlogin_nsswitch_use_ldap off
authlogin_radius off
authlogin_yubikey off
awstats_purge_apache_log_files off
boinc_execmem on
cdrecord_read_content off
cluster_can_network_connect off
cluster_manage_all_files off
cluster_use_execmem off
cobbler_anon_write off
cobbler_can_network_connect off
cobbler_use_cifs off
cobbler_use_nfs off
collectd_tcp_network_connect off
condor_tcp_network_connect off
conman_can_network off
cron_can_relabel off
cron_system_cronjob_use_shares off
cron_userdomain_transition on
cups_execmem off
cvs_read_shadow off
daemons_dump_core off
daemons_enable_cluster_mode off
daemons_use_tcp_wrapper off
daemons_use_tty off
/ / JBoss EAP AMI O e ie
dbadm_exec_content on
dbadm_manage_user_files off
dbadm_read_user_files off
deny_execmem off
deny_ptrace off
dhcpc_exec_iptables off
dhcpd_use_ldap off
domain_fd_use on
domain_kernel_load_modules off
entropyd_use_audio on
exim_can_connect_db off
exim_manage_user_files off
exim_read_user_files off
fcron_crond off
fenced_can_network_connect off
fenced_can_ssh off
fips_mode on
ftp_home_dir off
ftpd_anon_write off
ftpd_connect_all_unreserved off
ftpd_connect_db off
ftpd_full_access off
ftpd_use_cifs off
ftpd_use_fusefs off
ftpd_use_nfs off
ftpd_use_passive_mode off
git_cgi_enable_homedirs off
git_cgi_use_cifs off
/ / JBoss EAP AMI O e ie
git_cgi_use_nfs off
git_session_bind_all_unreserved_ports off
git_session_users off
git_system_enable_homedirs off
git_system_use_cifs off
git_system_use_nfs off
gitosis_can_sendmail off
glance_api_can_network off
glance_use_execmem off
glance_use_fusefs off
global_ssp off
gluster_anon_write off
gluster_export_all_ro off
gluster_export_all_rw on
gpg_web_anon_write off
gssd_read_tmp on
guest_exec_content on
haproxy_connect_any off
httpd_anon_write off
httpd_builtin_scripting on
httpd_can_check_spam off
httpd_can_connect_ftp off
httpd_can_connect_ldap off
httpd_can_connect_mythtv off
httpd_can_connect_zabbix off
httpd_can_network_connect off
httpd_can_network_connect_cobbler off
httpd_can_network_connect_db off
/ / JBoss EAP AMI O e ie
httpd_can_network_memcache off
httpd_can_network_relay off
httpd_can_sendmail off
httpd_dbus_avahi off
httpd_dbus_sssd off
httpd_dontaudit_search_dirs off
httpd_enable_cgi on
httpd_enable_ftp_server off
httpd_enable_homedirs off
httpd_execmem off
httpd_graceful_shutdown on
httpd_manage_ipa off
httpd_mod_auth_ntlm_winbind off
httpd_mod_auth_pam off
httpd_read_user_content off
httpd_run_ipa off
httpd_run_preupgrade off
httpd_run_stickshift off
httpd_serve_cobbler_files off
httpd_setrlimit off
httpd_ssi_exec off
httpd_sys_script_anon_write off
httpd_tmp_exec off
httpd_tty_comm off
httpd_unified off
httpd_use_cifs off
httpd_use_fusefs off
httpd_use_gpg off
/ / JBoss EAP AMI O e ie
httpd_use_nfs off
httpd_use_openstack off
httpd_use_sasl off
httpd_verify_dns off
icecast_use_any_tcp_ports off
irc_use_any_tcp_ports off
irssi_use_full_network off
kdumpgui_run_bootloader off
kerberos_enabled on
ksmtuned_use_cifs off
ksmtuned_use_nfs off
logadm_exec_content on
logging_syslogd_can_sendmail off
logging_syslogd_run_nagios_plugins off
logging_syslogd_use_tty on
login_console_enabled on
logrotate_use_nfs off
logwatch_can_network_connect_mail off
lsmd_plugin_connect_any off
mailman_use_fusefs off
mcelog_client off
mcelog_exec_scripts on
mcelog_foreground off
mcelog_server off
minidlna_read_generic_user_content off
mmap_low_allowed off
mock_enable_homedirs off
mount_anyfile on
/ / JBoss EAP AMI O e ie
mozilla_plugin_bind_unreserved_ports off
mozilla_plugin_can_network_connect off
mozilla_plugin_use_bluejeans off
mozilla_plugin_use_gps off
mozilla_plugin_use_spice off
mozilla_read_content off
mpd_enable_homedirs off
mpd_use_cifs off
mpd_use_nfs off
mplayer_execstack off
mysql_connect_any off
nagios_run_pnp4nagios off
nagios_run_sudo off
named_tcp_bind_http_port off
named_write_master_zones off
neutron_can_network off
nfs_export_all_ro on
nfs_export_all_rw on
nfsd_anon_write off
nis_enabled off
nscd_use_shm on
openshift_use_nfs off
openvpn_can_network_connect on
openvpn_enable_homedirs on
openvpn_run_unconfined off
pcp_bind_all_unreserved_ports off
pcp_read_generic_logs off
piranha_lvs_can_network_connect off
/ / JBoss EAP AMI O e ie
polipo_connect_all_unreserved off
polipo_session_bind_all_unreserved_ports off
polipo_session_users off
polipo_use_cifs off
polipo_use_nfs off
polyinstantiation_enabled off
postfix_local_write_mail_spool on
postgresql_can_rsync off
postgresql_selinux_transmit_client_label off
postgresql_selinux_unconfined_dbadm on
postgresql_selinux_users_ddl on
pppd_can_insmod off
pppd_for_user off
privoxy_connect_any on
prosody_bind_http_port off
puppetagent_manage_all_files off
puppetmaster_use_db off
racoon_read_shadow off
rsync_anon_write off
rsync_client off
rsync_export_all_ro off
rsync_full_access off
samba_create_home_dirs off
samba_domain_controller off
samba_enable_home_dirs off
samba_export_all_ro off
samba_export_all_rw off
samba_load_libgfapi off
/ / JBoss EAP AMI O e ie
samba_portmapper off
samba_run_unconfined off
samba_share_fusefs off
samba_share_nfs off
sanlock_use_fusefs off
sanlock_use_nfs off
sanlock_use_samba off
saslauthd_read_shadow off
secadm_exec_content on
secure_mode off
secure_mode_insmod off
secure_mode_policyload off
selinuxuser_direct_dri_enabled on
selinuxuser_execheap off
selinuxuser_execmod on
selinuxuser_execstack on
selinuxuser_mysql_connect_enabled off
selinuxuser_ping on
selinuxuser_postgresql_connect_enabled off
selinuxuser_rw_noexattrfile on
selinuxuser_share_music off
selinuxuser_tcp_server off
selinuxuser_udp_server off
selinuxuser_use_ssh_chroot off
sftpd_anon_write off
sftpd_enable_homedirs off
sftpd_full_access off
sftpd_write_ssh_home off
/ / JBoss EAP AMI O e ie
sge_domain_can_network_connect off
sge_use_nfs off
smartmon_3ware off
smbd_anon_write off
spamassassin_can_network off
spamd_enable_home_dirs on
squid_connect_any on
squid_use_tproxy off
ssh_chroot_rw_homedirs off
ssh_keysign off
ssh_sysadm_login off
staff_exec_content on
staff_use_svirt off
swift_can_network off
sysadm_exec_content on
telepathy_connect_all_ports off
telepathy_tcp_connect_generic_network_ports on
tftp_anon_write off
tftp_home_dir off
tmpreaper_use_nfs off
tmpreaper_use_samba off
tor_bind_all_unreserved_ports off
tor_can_network_relay off
unconfined_chrome_sandbox_transition on
unconfined_login on
unconfined_mozilla_plugin_transition on
unprivuser_use_svirt off
use_ecryptfs_home_dirs off
/ / JBoss EAP AMI O e ie
use_fusefs_home_dirs off
use_lpd_server off
use_nfs_home_dirs off
use_samba_home_dirs off
user_exec_content on
varnishd_connect_any off
virt_read_qemu_ga_data off
virt_rw_qemu_ga_data off
virt_sandbox_use_all_caps on
virt_sandbox_use_audit on
virt_sandbox_use_mknod off
virt_sandbox_use_netlink off
virt_sandbox_use_nfs off
virt_sandbox_use_samba off
virt_sandbox_use_sys_admin off
virt_transition_userdomain off
virt_use_comm off
virt_use_execmem off
virt_use_fusefs off
virt_use_nfs off
virt_use_rawip off
virt_use_samba off
virt_use_sanlock off
virt_use_usb on
virt_use_xserver off
webadm_manage_user_files off
webadm_read_user_files off
wine_mmap_zero_ignore off
/ / JBoss EAP AMI O e ie
xdm_bind_vnc_tcp_port off
xdm_exec_bootloader off
xdm_sysadm_login off
xdm_write_home off
xen_use_nfs off
xend_run_blktap on
xend_run_qemu on
xguest_connect_network on
xguest_exec_content on
xguest_mount_media on
xguest_use_bluetooth on
xserver_clients_write_xshm off
xserver_execmem off
xserver_object_manager off
zabbix_can_network off
zarafa_setrlimit off
zebra_write_config off
zoneminder_anon_write off
zoneminder_run_sudo off
Fo i fo aio o ho to ake SELi u poli ha ges, please efe to the follo i g:
Red Hat: RHEL : SELi u Use s a d Ad i ist ato s Guide
ENABLED SERVICES
The follo i g ta le depi ts the list of se i es hi h ha e ee e a led. To he k the status of ou s ste , efe to the usage of the s ste ctl o a d.
AMI Services State
UNIT STATE
abrt-ccpp.service enabled
/ / JBoss EAP AMI O e ie
abrt-oops.service enabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
atd.service enabled
auditd.service enabled
brandbot.service static
[email protected] static
chronyd.service enabled
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
[email protected] static
crond.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.machine1.service static
dbus-org.freedesktop.network1.service invalid
/ / JBoss EAP AMI O e ie
dbus-org.freedesktop.timedate1.service static
dbus.service static
dmraid-activation.service enabled
dracut-cmdline.service static
dracut-initqueue.service static
dracut-mount.service static
dracut-pre-mount.service static
dracut-pre-pivot.service static
dracut-pre-trigger.service static
dracut-pre-udev.service static
dracut-shutdown.service static
emergency.service static
firewalld.service enabled
fprintd.service static
fstrim.service static
[email protected] enabled
halt-local.service static
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
/ / JBoss EAP AMI O e ie
irqbalance.service enabled
jbossas.service enabled
kdump.service enabled
kmod-static-nodes.service static
ldconfig.service static
libstoragemgmt.service enabled
lvm2-monitor.service enabled
[email protected] static
[email protected] static
[email protected] static
[email protected] static
mdmonitor.service enabled
messagebus.service static
microcode.service enabled
plymouth-switch-root.service static
polkit.service static
postfix.service enabled
quotaon.service static
rc-local.service static
rescue.service static
rhel-autorelabel-mark.service static
/ / JBoss EAP AMI O e ie
rhel-autorelabel.service static
rhel-configure.service static
rhel-import-state.service static
rhel-loadmodules.service static
rhel-readonly.service static
rhsmcertd.service enabled
rngd.service enabled
[email protected] static
rsyslog.service enabled
smartd.service enabled
sshd-keygen.service static
sshd.service enabled
[email protected] static
sysstat.service enabled
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
[email protected] static
systemd-binfmt.service static
systemd-firstboot.service static
systemd-fsck-root.service static
/ / JBoss EAP AMI O e ie
[email protected] static
systemd-halt.service static
[email protected] static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-catalog-update.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-machined.service static
systemd-modules-load.service static
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-readahead-collect.service enabled
/ / JBoss EAP AMI O e ie
systemd-readahead-done.service static
systemd-readahead-drop.service enabled
systemd-readahead-replay.service enabled
systemd-reboot.service static
systemd-remount-fs.service static
[email protected] static
systemd-shutdownd.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-timedated.service static
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-done.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
/ / JBoss EAP AMI O e ie
[email protected] static
tuned.service enabled
Fo i fo aio o ho to ake ha ges to se i es, please efe to the follo i g:
Red Hat: RHEL : Ma agi g Se i es ith S ste D
FIREWALL CONFIGURATION
AWS a ages et o k a ess th ough the usage of se u it g oups. As su h, the ire alld se i e is disa led default. Fo o e i fo aio o ho to dei e a AWS se u it g oup fo a agi g a ess, see the follo i g:
AWS: A azo EC Se u it G oups fo Li u I sta es
ENVIRONMENT VARIABLES
As pa t of the i iial i stallaio , the follo i g e i o e t a ia les ha e ee dei ed i /et /e i o e t.
EAP_HOME = /opt/ h/eap / oot/us /sha e/ ildl
STANDALONE_SH = /opt/ h/eap / oot/us /sha e/ ildl / i /sta dalo e.sh
JBOSS_SERVICE = eap -sta dalo e
/ / JBoss EAP AMI O e ie
JBOSS EAP DEFAULTS
The follo i g se io s outli e the default s ste o igu aio s asso iated ith JBoss EAP a d Ja a.
JAVA VERSION
As pa t of this deplo e t, Ope JDK e sio . . _ has ee deplo ed a d o igu ed o the s ste . The pa kage as i stalled f o Red Hat’s RHEL Se e RPM Reposito . Fo i fo aio o the latest featu es i luded ith Ja a , please efe to the follo i g:
JDK Featu es
DEFAULT JVM TUNING
Pe fo a e tu i g is u i ue to ea h i stallaio e ause of i te al a d e te al fa to s. It is ot a goal ut a li al p o ess of pe fo a e o ito i g, o igu aio ha ges a d e ie . All the follo i g o igu aio s a e o ga ized a ou d est p a i es of heap sizi g a d a age e t.
HEAP SI)E
Heap sizes a e di ided i to sei g a app op iate i iial heap size -X s a d a a i u heap size -X . The follo i g ta le p o ides e a ples of e o sizes ased o i sta e t pes.
I sta ce Type CPU Me ory GB Heap Size GB
t .s all
. ediu .
t . ediu
.la ge .
t .la ge
. la ge + larger
GARBAGE COLLECTOR ALGORITHM
A Co u e t Colle to as used fo ga age olle io ased o ased p a i es a d e ha i g pe fo a e. Co u e t Colle to -XX:+UseCo Ma kS eepGC pe fo s ost of its o k o u e tl usi g a si gle ga age olle to th ead that u s ith the appli aio th eads si ulta eousl . It e a les the VM’s ostl o u e t ga age olle to . It also auto-e a les -XX:+UsePa Ne GC hi h e a les a uli-th eaded, ou g ge e aio ga age olle to .
NEW SI)E
Whe sei g -XX:Ma Ne Size ou eed to take i to a ou t that the ou g ge e aio is o l o e pa t of the heap a d that the la ge e hoose its size the s alle the old ge e aio ill e. Fo sta ilit easo s, it is ot allo ed to hoose a ou g ge e aio size la ge tha the old ge e aio , e ause i the o st ase it a e o e e essa fo
a GC to o e all o je ts f o the ou g ge e aio i to the old ge e aio . Thus -X / is a uppe ou d fo -XX:Ma Ne Size.
We egulate the e ge e aio size sei g the Ma Ne Size a d Ne Size e ual.
Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g:
O a le: Tu i g JVMs
/ / JBoss EAP AMI O e ie
VAULT CONFIGURATION
KEYSTORE
Keysize Validity Storetype Keyalg Directory
da s JCEKS AES $EAP_HOME/ ault / ault.ke sto e
VAULT
Salt Ofset Value Iteraio Vault Directory Vault Co iguraio I fo Directory
a d $EAP_HOME/ ault/ $EAP_HOME/ ault/ ault.i fo
To ake ha ges to sto ed alues ithi ault, see Red Hat do u e taio .
ADMIN USERNAME / PASSWORD
The default ad i ist ai e use i luded ith this dist i uio is la eled ad i ith a pass o d e ual to the u e t i sta e ID. It is highl e o e ded that the pass o d e ha ged to a o e se u e e t usi g the add-user o a d.
Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g li k:
Red Hat: Chapte Use Ma age e t
PORT CONFIGURATION
The default po ts of JBoss EAP a e apped as follo s:
Po t I te fa e Se i e
. . . Appli aio Se e
. . . Ma age e t Se e
. . . Ma age e t CLI
Fo i fo aio o ho to o igu e the so ket i di gs of JBoss EAP , see the follo i g:
Red Hat: Net o k a d Po t Co igu aio
JON AGENT INSTALLATION
If ou a e looki g to a age JBoss ith ou o op of JBoss ope aio s et o k, please efe to the follo i g fo i stallaio a d o igu aio i st u io s: Red Hat: JON . : Age t I stallaio
OPERATING MODE
JBoss i sta es a e u e tl u i g i sta dalo e ode. The asso iated o igu aio ile fo the i sta e is lo ated at $EAP_HOME/sta dalo e/sta dalo e. l.
Fo o e i fo aio o ho a d he e to pe fo these o igu aio s, see the follo i g:
Red Hat: Gei g Sta ted ith the Ma age e t CLI