Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR18
Affects Version/s: 7.1.0.DR16
Component/s: Management, Security
Labels:
- KK-DR18
- eap7.1-rfe-failure

CDW blocker:
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1) add user:

./add-user.sh -u 'admin' -p 'pass@123'

2) generate keystore:

keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

3) add legacy security realm to standalone-elytron.xml:

<security-realm name="ManagementRealmHTTPS"> <server-identities> <ssl> <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/> </ssl> </server-identities> </security-realm>

4) set up http-interface:

<http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS"> <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/> <socket-binding http="management-http" https="management-https"/> </http-interface>

5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed
Show
1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 3) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> </security-realm> 4) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When http-interface uses http-authentication-factory attribute for authentication and security-realm attribute for SSL, and referenced security-realm does not include authentication, then authentication through http-interface is not possible.

When Management Console is used, then page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed.

When https://localhost:9993/management?operation=attribute&name=server-state is accessed then following output is returned:

{
    "outcome" : "failed",
    "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see https://localhost:9993/error",
    "rolled-back" : "true"
}

When security-realm includes also authentication (which is not used) then authentication through http-interface works as expected.

We request blocker flag because this issue blocks RFE EAP7-545. This issue is reported in EAP 7.1.0.DR16 because this configuration could not be set on application server due to ~~JBEAP-7428~~, which was fixed in EAP 7.1.0.DR16.

is cloned by

WFCORE-2641 Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

Resolved

is incorporated by

JBEAP-10508 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta21

Closed

is related to

JBEAP-10226 Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured

Closed

Assignee:: Darran Lofthouse

Reporter:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2017/04/07 8:27 AM

Updated:: 2024/09/02 4:03 PM

Resolved:: 2017/05/09 6:37 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates