Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR17
Affects Version/s: 7.1.0.DR15
Component/s: Management, Remoting, Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

As part of EAP7-632, I'm trying to set up SSL for master-slave communication in a managed domain. I've attached my current setup (XML files), because the files have been stripped of things I don't need, but I'll also describe the elytron mgmt commands that I used to get there:

First, I created keystores and truststores as I was instructed in upstream documentation. No issues with this. The keystores are in /tmp/keystores/ and I'm using absolute paths to reference them.

# generate server keystore
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
# generate client keystore
keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret
# export server certificate
keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
# export client certificate
keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer
# create server truststore (trusts client certificate)
keytool -importcert -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer
# create client truststore (trusts server certificate)
keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

Then, I configured the following on my master node:

/host=master/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/keystores/server.keystore.jks,credential-reference={clear-text=secret},type=JKS)
/host=master/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/keystores/server.truststore.jks,credential-reference={clear-text=secret},type=JKS)
/host=master/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/host=master/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/host=master/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)
/host=master/core-service=management/management-interface=native-interface:write-attribute(name=ssl-context, value=twoWaySSC)

If I reload the master node now, slave won't be able to connect and will repeatedly throw [1] until slave gives up.

Then I configured the following on my slave node:

/host=slave/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/keystores/client.keystore.jks,credential-reference={clear-text=secret},type=JKS)
/host=slave/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/keystores/client.truststore.jks,credential-reference={clear-text=secret},type=JKS)
/host=slave/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/host=slave/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/host=slave/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM)

Then I added an authentication-context with a match-rule to the created client-ssl-context:

/host=slave/subsystem=elytron/authentication-context=slaveHostAContext:write-attribute(name=match-rules,value=[{match-host=127.0.0.1,ssl-context=twoWayCSC}])

and tied the authentication context to the domain-controller in the configuration file:

<remote host="localhost" port="9999" authentication-context="slaveHostAContext"/>

I think this should be all the configuration that's required. If there's something missing, the upstream documentation doesn't mention it (in fact, it only says how to set up the server-side SSL, not the authentication-context for the slave).

When I now reload the master and the slave, they throw [1], resp. [2] until slave gives up because it can't connect.

Note that this blocks EAP7-632, for which SSL setup between master and slave is one of its parts.

[1] Master stacktrace:

[Host Controller] 09:35:28,940 ERROR [org.xnio.listener] (management I/O-1) XNIO001007: A channel event listener threw an exception: java.lang.IllegalArgumentException: XNIO000300: Socket buffer is too small
[Host Controller] 	at org.xnio.ssl.JsseStreamConduit.<init>(JsseStreamConduit.java:115)
[Host Controller] 	at org.xnio.ssl.JsseSslConnection.<init>(JsseSslConnection.java:31)
[Host Controller] 	at org.xnio.ssl.JsseSslConnection.<init>(JsseSslConnection.java:25)
[Host Controller] 	at org.jboss.remoting3.remote.RemoteConnectionProvider$ProviderInterface.lambda$createServer$0(RemoteConnectionProvider.java:333)
[Host Controller] 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
[Host Controller] 	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:130)
[Host Controller] 	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
[Host Controller] 	at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)

[2] Slave stacktrace:

[Host Controller] 09:35:39,942 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://localhost:9999: java.lang.IllegalStateException: WFLYHC0052: Could not connect to master in 5 attempts within 30000 ms
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnectionService.register(RemoteDomainConnectionService.java:307)
[Host Controller] 	at org.jboss.as.host.controller.DomainModelControllerService.connectToDomainMaster(DomainModelControllerService.java:925)
[Host Controller] 	at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:679)
[Host Controller] 	at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:349)
[Host Controller] 	at java.lang.Thread.run(Thread.java:745)
[Host Controller] Caused by: java.net.ConnectException: WFLYPRT0023: Could not connect to remote://localhost:9999. The connection timed out
[Host Controller] 	at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:123)
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:223)
[Host Controller] 	at org.wildfly.common.context.Contextual.runExceptionAction(Contextual.java:108)
[Host Controller] 	at org.wildfly.security.auth.client.AuthenticationContext.run(AuthenticationContext.java:296)
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnection.openConnection(RemoteDomainConnection.java:223)
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnection$InitialConnectTask.connect(RemoteDomainConnection.java:592)
[Host Controller] 	at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70)
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnection.connect(RemoteDomainConnection.java:147)
[Host Controller] 	at org.jboss.as.host.controller.RemoteDomainConnectionService.register(RemoteDomainConnectionService.java:288)
[Host Controller] 	... 4 more

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

domain.xml
29 kB
2017/03/31 9:27 AM
host-master.xml
9 kB
2017/03/31 9:27 AM
host-slave.xml
10 kB
2017/03/31 9:27 AM

Assignee:: Darran Lofthouse

Reporter:: Richard Janik

Tester:: Richard Janik

QA Contact:: Richard Janik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2017/03/31 9:21 AM

Updated:: 2024/09/02 3:48 PM

Resolved:: 2017/04/27 1:50 PM

Details

Description

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates