-
Bug
-
Resolution: Done
-
Major
-
jboss-fuse-6.2.1
-
None
-
%
-
-
Sprint 5 - towards ER2
It is related to the JIRA ENTESB-5097.
The instruction in the JIRA ENTESB-5097 described how to secure fabric containers. So I created a custom profile "secure" with following "org.ops4j.pax.web.properties":
org.osgi.service.http.port.secure=${port:8443,8543} org.osgi.service.http.enabled=false org.osgi.service.http.secure.enabled=true org.ops4j.pax.web.ssl.keypassword=password org.ops4j.pax.web.ssl.password=password org.ops4j.pax.web.ssl.keystore=/apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/etc/mykeystore.jks
You can see that I only stored the keystore file externally on my local file system.
However, I'd like to store the keystore file within the custom profile "secure" instead and use "profile:" property resolver to configure the property "org.ops4j.pax.web.ssl.keystore" value like:
org.ops4j.pax.web.ssl.keystore=profile:mykeystore.jks
I added the JKS keystore file to the "secure" profile through git clone/push operations to make sure the integrity of the JKS binary file.
Also as described in the JIRA ENTESB-5097, I tried to create a fully secure fabric environment but with the following workaround:
- make sure that the fabric root container does not have the "secure" profile applied just yet so it remains normal and insecure;
- create a local child container with "container-create-child root child1" command. So the child1 container will be created as a normal and insecure local child container;
- apply the "secure" profile to both containers one by one. It will work fine for both containers. To confirm, you can try to invoke URL "https://localhost:8444/jolokia" from your browser against the child1 container and you will get json data back.
- stop/restart the child1 container with "container-stop/container-start" command, then try to invoke the same URL "https://localhost:8444/jolokia", nothing will be returned.
At the same time, you will get following error from the child1 container:
2016-03-04 13:40:30,917 | WARN | pool-1-thread-1 | AbstractLifeCycle | 103 - org.eclipse.jetty.aggregate.jetty-all-server - 8.1.17.v20150415 | FAILED SslContextFactory@5374e4e6(profile:mykeystore.jks,profile:mykeystore.jks): java.io.FileNotFoundException: /apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/instances/child1/profile:mykeystore.jks (No such file or directory) java.io.FileNotFoundException: /apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/instances/child1/profile:mykeystore.jks (No such file or directory) at java.io.FileInputStream.open(Native Method)[:1.7.0_67] at java.io.FileInputStream.<init>(FileInputStream.java:146)[:1.7.0_67] at org.eclipse.jetty.util.resource.FileResource.getInputStream(FileResource.java:286)[103:org.eclipse.jetty.aggregate.jetty-all-server:8.1.17.v20150415]
It looks like that Jetty does not recognize and resolve the property resolver "profile:mykeystore.jks" as the value of the property "org.ops4j.pax.web.ssl.keystore".
- is related to
-
ENTESB-5097 Fabric won't be able to create child containers if fabric root container is fully secure
- Closed