Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10328

CLI Opertation 'load' for Elytron key-store does not change key used by management

    XMLWordPrintable

Details

    • Hide

      1) Create keystore and copy it to standalone/configuration/:

      keytool -genkeypair -alias alias1 -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=alias1" -keypass secret -storepass secret
cp keystore.jks standalone/configuration/

      2) Create a key-store, key-manager, and server-ssl-context and enable HTTPS on the management interface:

      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.2"])
/core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
/core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
reload

      3) Try to access CLI - certificate CN=alias1 is exposed by server. Trust 'temporarily' to that certificate and try to read certificate in key-store:

      /subsystem=elytron/key-store=httpsKS/alias=alias1:read-attribute(name=certificate-chain)

      Certificate with CN=alias1 is displayed.

      4) Create new keystore with the same password and name but with different certificate and copy it again to standalone/configuration/ (it will replace original keystore):

      keytool -genkeypair -alias alias2 -keyalg RSA -keysize 1024 -validity 365 -keystore keystore2.jks -dname "CN=alias2" -keypass secret -storepass secret
cp keystore2.jks standalone/configuration/keystore.jks

      5) Read certificate in key-store again, original certificate is still provided: 

      /subsystem=elytron/key-store=httpsKS/alias=alias1:read-attribute(name=certificate-chain)

      6) Use load operation to re-reading keystore, the certificate (CN=alias2) is provided then - it is correct:

      /subsystem=elytron/key-store=httpsKS:load()
/subsystem=elytron/key-store=httpsKS/alias=alias2:read-attribute(name=certificate-chain)

      7) Quit CLI and try to access it again - original certificate (CN=alias1) is still incorrectly provided - it should use the new CN=alias2 certificate. When server is reloaded then the new certificate (CN=alias2) is provided correctly.

      Show
      1) Create keystore and copy it to standalone/configuration/ : keytool -genkeypair -alias alias1 -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=alias1" -keypass secret -storepass secret cp keystore.jks standalone/configuration/ 2) Create a key-store, key-manager, and server-ssl-context and enable HTTPS on the management interface: /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=[ "TLSv1.2" ]) /core-service=management/management- interface =http- interface :write-attribute(name=ssl-context, value=httpsSSC) /core-service=management/management- interface =http- interface :write-attribute(name=secure-socket-binding, value=management-https) reload 3) Try to access CLI - certificate CN=alias1 is exposed by server. Trust 'temporarily' to that certificate and try to read certificate in key-store: /subsystem=elytron/key-store=httpsKS/alias=alias1:read-attribute(name=certificate-chain) Certificate with CN=alias1 is displayed. 4) Create new keystore with the same password and name but with different certificate and copy it again to standalone/configuration/ (it will replace original keystore): keytool -genkeypair -alias alias2 -keyalg RSA -keysize 1024 -validity 365 -keystore keystore2.jks -dname "CN=alias2" -keypass secret -storepass secret cp keystore2.jks standalone/configuration/keystore.jks 5) Read certificate in key-store again, original certificate is still provided: /subsystem=elytron/key-store=httpsKS/alias=alias1:read-attribute(name=certificate-chain) 6) Use load operation to re-reading keystore, the certificate ( CN=alias2 ) is provided then - it is correct: /subsystem=elytron/key-store=httpsKS:load() /subsystem=elytron/key-store=httpsKS/alias=alias2:read-attribute(name=certificate-chain) 7) Quit CLI and try to access it again - original certificate ( CN=alias1 ) is still incorrectly provided - it should use the new CN=alias2 certificate . When server is reloaded then the new certificate ( CN=alias2 ) is provided correctly.

    Description

      When keystore (or cerficate in keystore) is changed during server runtime then CLI opertation load can be used for /subsystem=elytron/key-store=... to re-reading this keystore in server. However after calling this operation server still works with original keystore/certificate. Then CLI reads current keystore correctly, but in case when ssl-context which uses that key-store is used then original keystore is still used by server. Reload of server is required to correctly re-read the new keystore. See Steps to Reproduce for more details.

      We request blocker flag since this issue blocks RFE EAP7-455.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2671 CLI Opertation 'load' for Elytron key-store does not correctly re-read keystore

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8798 CLI Opertation 'load' for Elytron key-store does not change key used by management

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Martin Svehla Martin Svehla
              Martin Svehla Martin Svehla
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: