Blogs

Taking forward from where Ray left off with a Telnet to Liferay OSGi, I am taking this step ahead to enable SSH access to Liferay OSGi console, here is my two little reasons on why I want to do it, 

• I want to secure my OSGi console access, in fact we will go a step ahead and integrate the Liferay Portal JAAS with OSGi ssh console, thereby allow all the Liferay Users to log on to OSGi shell
• I want to make the SSH'ed user to add ablity to execute Liferay API commands

Though I am complete on the first point above but on the second I feel it will be part of my another blog in this series :) as there are few things that needs to be sorted before I can make the point #2 above work as expected.

A good prequsite for this would be to have the OSGi console set up for Liferay you can either follow the @Ray's blog or if you can clone the Liferay Content targetting repo and fire the ant deploy command from the $CONTENT_TARGETTING_REPO/apps/content-targeting/runtime-dependencies to have the necessary OSGi bundles deployed to your Liferay instance ( this might have some additional Content targetting bundles as well, which is harmless and we can ignore them), for the convinence for this blog and for you to get started quickly I attached the bundles form here which can be dropped on to $LIFERAY_HOME/deploy folder.

Ok lets getting in to action of setting them up,

What SSH bundles I might require ?

• org.apache.mina.core_2.0.7.v201401071602.jar
• org.apache.sshd.core_0.7.0.v201303101611.jar
• org.eclipse.equinox.console.jaas.fragment_1.0.0.v20130327-1442.jar
• org.eclipse.equinox.console.ssh_1.0.100.v20131208-1728.jar
• slf4j-api-1.7.5.jar or newer
• slf4j-simple-1.7.5.jar or newer

You can download the mina and equinox bundles from Equinox Download, I used LunaSR1 at the time of writing this blog.

Once you have added these bundles, you need to add the following properties to your portal-setup-wizard.properties or portal-ext.properties.

###

# OSGi 

###

# Telnet

module.framework.properties.osgi.console=11311

# SSH

module.framework.properties.osgi.console.ssh=2525

## JAAS enabling

##

# Security settings, allowing SSH to use sceeenName

portal.jaas.auth.type=screenName

##

## Login

company.security.auth.type=screenName

equinox_console { 

    com.liferay.portal.security.jaas.PortalLoginModule required debug=true; 

}; 

CATALINA_OPTS="$CATALINA_OPTS -Dfile.encoding=UTF8 -Djava.net.preferIPv4Stack=true  -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false -Duser.timezone=GMT -Xms2048m -Xmx2048m -XX:MaxPermSize=256m"

#JAAS Options

EQUINOX_JAAS_OPTS="-Djava.security.auth.login.config=data/osgi/equinox_console_jaas.conf"

CATALINA_OPTS="$CATALINA_OPTS $EQUINOX_JAAS_OPTS"

if you prefer to change JAAS conf file path, please do edit the "java.security.auth.login.config" JVM option in setenv.sh above to suit accordingly.

There you go our setup is done and we are good to have ssh enabled by restarting the server, a good idea is to clean the existing $LIFERAY_HOME/data/osgi/state to have clean states for all our bundles.

Once the server is restarted and when you try ssh -p2525 test@localhost  you might see the connection is refused, this is because the SSH console plugin is designed to have lazy start you might need to telnet on to the console using telnet localhost 11311 and then find the `Equinox Console SSH plugin` and start the bundle manually ( this is one time activity and the state is mantained until the bundle is refreshed).  Once the bundle is started you can do the ssh -p2525 test@localhost to see you  will be prompted for a 'password' give the same password for the "test" user as you have set in Portal to see you logged on to Liferay OSGi SSH shell.

Thats it! In my next part of the series we shall we how do we execute the Liferay API commands as liferay user with whom we have sshed.

[1] More on Equinox and SSH/Telnet consoles please refer here