Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-7450

Security Realm Authentication trust store not verifying remote server

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 8.2.6.Final
    • Security
    • None
    • Hide

      set up a security realm and bind the management interface to it

      <security-realm name="LdapConnection">
      <authentication>
      <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>
      <ldap connection="remoteLdap" base-dn="ou=People,dc=company,dc=com" recursive="true">
      <username-filter attribute="uid"/>
      </ldap>
      </authentication>
      <authorization>
      ...........
      </authorization>
      </security-realm>

      <outbound-connections>
      <ldap name="remoteLdap" url="ldaps://ldapserver.company.com:636"/>
      </outbound-connections>

      <management-interfaces>
      <http-interface security-realm="LdapConnection" http-upgrade-enabled="true">
      <socket-binding https="management-https"/>
      </http-interface>
      </management-interfaces>

      Try and access the management console and enter a valid username and password.
      If debugging is enabled then you get a certificate validation exception.

      12:24:36,119 DEBUG [org.jboss.as.domain.http.api.undertow] (management task-5) Failure handling Callback(s) for BASIC authentication.: java.io.IOException: WFLYDM0009: Unable to perform verification
      at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:253)
      at org.jboss.as.domain.management.security.SecurityRealmService$1.handle(SecurityRealmService.java:178)
      at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:162)
      at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:141)
      at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118)
      at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; remaining name 'ou=People,dc=company,dc=com'
      at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)
      at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
      at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786)
      at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
      at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
      at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:125)
      at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:66)
      at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225)
      at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:205)
      ... 18 more

      If I then add the certificates to the java default cacerts store or pass in a manual truststore location through -Djavax.net.ssl.trustStore=truststore.jks then the connection works ok.
      The wildfly security realm documents specifically state "that is if a trust store is defined - on negotiating an outbound SSL connection the trust store will be used to verify the remote server."

      Show
      set up a security realm and bind the management interface to it <security-realm name="LdapConnection"> <authentication> <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/> <ldap connection="remoteLdap" base-dn="ou=People,dc=company,dc=com" recursive="true"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization> ........... </authorization> </security-realm> <outbound-connections> <ldap name="remoteLdap" url="ldaps://ldapserver.company.com:636"/> </outbound-connections> <management-interfaces> <http-interface security-realm="LdapConnection" http-upgrade-enabled="true"> <socket-binding https="management-https"/> </http-interface> </management-interfaces> Try and access the management console and enter a valid username and password. If debugging is enabled then you get a certificate validation exception. 12:24:36,119 DEBUG [org.jboss.as.domain.http.api.undertow] (management task-5) Failure handling Callback(s) for BASIC authentication.: java.io.IOException: WFLYDM0009: Unable to perform verification at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:253) at org.jboss.as.domain.management.security.SecurityRealmService$1.handle(SecurityRealmService.java:178) at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:162) at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:141) at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118) at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ; remaining name 'ou=People,dc=company,dc=com' at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:125) at org.jboss.as.domain.management.security.LdapUserSearcherFactory$LdapUserSearcherImpl.search(LdapUserSearcherFactory.java:66) at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225) at org.jboss.as.domain.management.security.UserLdapCallbackHandler$LdapCallbackHandler.handle(UserLdapCallbackHandler.java:205) ... 18 more If I then add the certificates to the java default cacerts store or pass in a manual truststore location through -Djavax.net.ssl.trustStore=truststore.jks then the connection works ok. The wildfly security realm documents specifically state "that is if a trust store is defined - on negotiating an outbound SSL connection the trust store will be used to verify the remote server."

      The truststore element in a realms authentication element doesn't appear to be used to verify the remote server connection

            Unassigned Unassigned
            karl.sorensen@sky.uk Karl Sorensen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: