Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-5099

Using "profile:" property resolver to specify a keystore file for securing fabric containers does not work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • jboss-fuse-6.3
    • jboss-fuse-6.2.1
    • Fabric8 v1
    • None
    • % %
    • Sprint 5 - towards ER2

      It is related to the JIRA ENTESB-5097.

      The instruction in the JIRA ENTESB-5097 described how to secure fabric containers. So I created a custom profile "secure" with following "org.ops4j.pax.web.properties":

      org.osgi.service.http.port.secure=${port:8443,8543}
      org.osgi.service.http.enabled=false
      org.osgi.service.http.secure.enabled=true
      org.ops4j.pax.web.ssl.keypassword=password
      org.ops4j.pax.web.ssl.password=password
      org.ops4j.pax.web.ssl.keystore=/apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/etc/mykeystore.jks
      

      You can see that I only stored the keystore file externally on my local file system.

      However, I'd like to store the keystore file within the custom profile "secure" instead and use "profile:" property resolver to configure the property "org.ops4j.pax.web.ssl.keystore" value like:

      org.ops4j.pax.web.ssl.keystore=profile:mykeystore.jks
      

      I added the JKS keystore file to the "secure" profile through git clone/push operations to make sure the integrity of the JKS binary file.

      Also as described in the JIRA ENTESB-5097, I tried to create a fully secure fabric environment but with the following workaround:

      1. make sure that the fabric root container does not have the "secure" profile applied just yet so it remains normal and insecure;
      2. create a local child container with "container-create-child root child1" command. So the child1 container will be created as a normal and insecure local child container;
      3. apply the "secure" profile to both containers one by one. It will work fine for both containers. To confirm, you can try to invoke URL "https://localhost:8444/jolokia" from your browser against the child1 container and you will get json data back.
      4. stop/restart the child1 container with "container-stop/container-start" command, then try to invoke the same URL "https://localhost:8444/jolokia", nothing will be returned.

      At the same time, you will get following error from the child1 container:

      2016-03-04 13:40:30,917 | WARN  | pool-1-thread-1  | AbstractLifeCycle                | 103 - org.eclipse.jetty.aggregate.jetty-all-server - 8.1.17.v20150415 | FAILED SslContextFactory@5374e4e6(profile:mykeystore.jks,profile:mykeystore.jks): java.io.FileNotFoundException: /apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/instances/child1/profile:mykeystore.jks (No such file or directory)
      java.io.FileNotFoundException: /apps/jboss/fuse/6.2.1/test/jboss-fuse-6.2.1.redhat-084/instances/child1/profile:mykeystore.jks (No such file or directory)
      	at java.io.FileInputStream.open(Native Method)[:1.7.0_67]
      	at java.io.FileInputStream.<init>(FileInputStream.java:146)[:1.7.0_67]
      	at org.eclipse.jetty.util.resource.FileResource.getInputStream(FileResource.java:286)[103:org.eclipse.jetty.aggregate.jetty-all-server:8.1.17.v20150415]
      

      It looks like that Jetty does not recognize and resolve the property resolver "profile:mykeystore.jks" as the value of the property "org.ops4j.pax.web.ssl.keystore".

              pantinor@redhat.com Paolo Antinori
              rhn-support-qluo Joe Luo
              Andrej Vano Andrej Vano
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: