Details
-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.DR15
Description
As part of EAP7-632, I'm trying to set up SSL for master-slave communication in a managed domain. I've attached my current setup (XML files), because the files have been stripped of things I don't need, but I'll also describe the elytron mgmt commands that I used to get there:
First, I created keystores and truststores as I was instructed in upstream documentation. No issues with this. The keystores are in /tmp/keystores/ and I'm using absolute paths to reference them.
# generate server keystore keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret # generate client keystore keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret # export server certificate keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer # export client certificate keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer # create server truststore (trusts client certificate) keytool -importcert -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer # create client truststore (trusts server certificate) keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
Then, I configured the following on my master node:
/host=master/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/keystores/server.keystore.jks,credential-reference={clear-text=secret},type=JKS)
/host=master/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/keystores/server.truststore.jks,credential-reference={clear-text=secret},type=JKS)
/host=master/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/host=master/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/host=master/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)
/host=master/core-service=management/management-interface=native-interface:write-attribute(name=ssl-context, value=twoWaySSC)
If I reload the master node now, slave won't be able to connect and will repeatedly throw [1] until slave gives up.
Then I configured the following on my slave node:
/host=slave/subsystem=elytron/key-store=twoWayKS:add(path=/tmp/keystores/client.keystore.jks,credential-reference={clear-text=secret},type=JKS)
/host=slave/subsystem=elytron/key-store=twoWayTS:add(path=/tmp/keystores/client.truststore.jks,credential-reference={clear-text=secret},type=JKS)
/host=slave/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/host=slave/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/host=slave/subsystem=elytron/client-ssl-context=twoWayCSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM)
Then I added an authentication-context with a match-rule to the created client-ssl-context:
/host=slave/subsystem=elytron/authentication-context=slaveHostAContext:write-attribute(name=match-rules,value=[{match-host=127.0.0.1,ssl-context=twoWayCSC}])
and tied the authentication context to the domain-controller in the configuration file:
<remote host="localhost" port="9999" authentication-context="slaveHostAContext"/>
I think this should be all the configuration that's required. If there's something missing, the upstream documentation doesn't mention it (in fact, it only says how to set up the server-side SSL, not the authentication-context for the slave).
When I now reload the master and the slave, they throw [1], resp. [2] until slave gives up because it can't connect.
Note that this blocks EAP7-632, for which SSL setup between master and slave is one of its parts.
[1] Master stacktrace:
[Host Controller] 09:35:28,940 ERROR [org.xnio.listener] (management I/O-1) XNIO001007: A channel event listener threw an exception: java.lang.IllegalArgumentException: XNIO000300: Socket buffer is too small [Host Controller] at org.xnio.ssl.JsseStreamConduit.<init>(JsseStreamConduit.java:115) [Host Controller] at org.xnio.ssl.JsseSslConnection.<init>(JsseSslConnection.java:31) [Host Controller] at org.xnio.ssl.JsseSslConnection.<init>(JsseSslConnection.java:25) [Host Controller] at org.jboss.remoting3.remote.RemoteConnectionProvider$ProviderInterface.lambda$createServer$0(RemoteConnectionProvider.java:333) [Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) [Host Controller] at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:130) [Host Controller] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588) [Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
[2] Slave stacktrace:
[Host Controller] 09:35:39,942 WARN [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://localhost:9999: java.lang.IllegalStateException: WFLYHC0052: Could not connect to master in 5 attempts within 30000 ms [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnectionService.register(RemoteDomainConnectionService.java:307) [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.connectToDomainMaster(DomainModelControllerService.java:925) [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:679) [Host Controller] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:349) [Host Controller] at java.lang.Thread.run(Thread.java:745) [Host Controller] Caused by: java.net.ConnectException: WFLYPRT0023: Could not connect to remote://localhost:9999. The connection timed out [Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:123) [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:223) [Host Controller] at org.wildfly.common.context.Contextual.runExceptionAction(Contextual.java:108) [Host Controller] at org.wildfly.security.auth.client.AuthenticationContext.run(AuthenticationContext.java:296) [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.openConnection(RemoteDomainConnection.java:223) [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection$InitialConnectTask.connect(RemoteDomainConnection.java:592) [Host Controller] at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70) [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.connect(RemoteDomainConnection.java:147) [Host Controller] at org.jboss.as.host.controller.RemoteDomainConnectionService.register(RemoteDomainConnectionService.java:288) [Host Controller] ... 4 more
