Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2502

SASL authentication configured by the security command denies CLI connection

XMLWordPrintable

    • Hide

      Reproducing using the tests-security testsuite:

      1.

      gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git

      2. Add thread related breakpoint into the SecurityCommandTestCase#testExternalAuthManagement after the configuration is done and enable the debug configuration

      3. Run the test case with

      -Dmaven.surefire.debug

      parameter:

      mvn clean test -Deap -Dversion.jboss.bom=7.4.9.GA -Dmaven.repo.local=/path/to/maven/repo/jboss-eap-7.4.9.GA-maven-repository/maven-repository -Djboss.dist.zip=/path/to/EAP/zip/EAP_versions/jboss-eap-7.4.9.GA-CR1.zip -Dtest=SecurityCommandTestCase#testExternalAuthManagement -Dcheckstyle.skip=true -Dmaven.surefire.debug

      4. Wait till the breakpoint is called and execute the remote controller:

      jboss-cli.sh -c --controller=remote+https://localhost:9993 -Dwildfly.config.url=file:///home/dcihak/Work/issues_retest/SecurityCommandTestCase/cli-test-wildfly-config-4151194202080470161.xml --connect --error-on-interact :whoami

      5. Error occurs

      Failed to connect to the controller: Unable to authenticate against controller at localhost:9993: Authentication failed: all available authentication mechanisms failed: EXTERNAL: javax.security.sasl.SaslException: EXTERNAL: Server rejected authentication
      Show
      Reproducing using the tests-security testsuite: 1. gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git 2. Add thread related breakpoint into the SecurityCommandTestCase#testExternalAuthManagement after the configuration is done and enable the debug configuration 3. Run the test case with -Dmaven.surefire.debug parameter: mvn clean test -Deap -Dversion.jboss.bom=7.4.9.GA -Dmaven.repo.local=/path/to/maven/repo/jboss-eap-7.4.9.GA-maven-repository/maven-repository -Djboss.dist.zip=/path/to/EAP/zip/EAP_versions/jboss-eap-7.4.9.GA-CR1.zip -Dtest=SecurityCommandTestCase#testExternalAuthManagement -Dcheckstyle.skip= true -Dmaven.surefire.debug 4. Wait till the breakpoint is called and execute the remote controller: jboss-cli.sh -c --controller=remote+https: //localhost:9993 -Dwildfly.config.url=file:///home/dcihak/Work/issues_retest/SecurityCommandTestCase/cli-test-wildfly-config-4151194202080470161.xml --connect --error-on-interact :whoami 5. Error occurs Failed to connect to the controller: Unable to authenticate against controller at localhost:9993: Authentication failed: all available authentication mechanisms failed: EXTERNAL: javax.security.sasl.SaslException: EXTERNAL: Server rejected authentication

      Elytron subsystem has a keystore configured to use server/client keystore and certificate.
      When using 2-way SSL authentication with either CLIENT_CERT or EXTERNAL mechanism error is returned:

      Failed to connect to the controller: Unable to authenticate against controller at localhost:9993: Authentication failed: all available authentication mechanisms failed:
   EXTERNAL: javax.security.sasl.SaslException: EXTERNAL: Server rejected authentication

      in case of the EXTERNAL and 403 in case of the CLIENT_CERT mechanism. This is a regression against 7.4.8.

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: