Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10691

[GSS](7.1.z) mutual authentication with SSL fails to work with the LDAP security-realm

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Blocker Blocker
    • None
    • 7.1.0.DR17
    • Management, Security
    • None

      I have configured the SSL realm as follows:

          <security-realms>
              <security-realm name="ldapSSL">
                <server-identities>
                  <ssl>
                    <keystore path="client.keystore" keystore-password="123456"></keystore>
                  </ssl>
                </server-identities>
                <authentication>
                  <truststore path="client.truststore" keystore-password="123456"></truststore>
                </authentication>
              </security-realm>
          </security-realms>
          <outbound-connections>
              <ldap name="ldap_connection" url="ldaps://localhost:8443" search-dn="cn=Directory Manager" search-credential="test1234" security-realm="ldapSSL"></ldap>
          </outbound-connections>
      

      However, when the JBoss management interface is configured to use the LDAP security-realm that uses the "ldapSSL" security-realm, mutual authentication fails between JBoss and LDAP which results in an authentication failure at the JBoss management interface.

      There are two different LDAP connections being made. It looks like different threads handle the different LDAP requests. Interestingly, the threads do not share the SSL session so the second request triggers another handshake and this is where things break. If you use the -Djavax.net.ssl.keyStore system property instead of the SSL security realm to configure the keystore, then you can see the different threads share the SSL session so there is only one handshake.

      Workaround: Do not use the security-realm to configure the keystore and truststore. Use the -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword and -Djavax.net.ssl.trustStore system properties.

              ppalaga Peter Palaga
              ppalaga Peter Palaga
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: