Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.ER1
Affects Version/s: 7.1.0.DR18
Component/s: Security
Labels:
- eap7.1-rfe-failure

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1335299
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly/wildfly-core/pull/2450
Steps to Reproduce:
Hide

Configure the JVM in FIPS mode

Configure default client ssl context

/subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+}) /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store) /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1]) /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}]) /subsystem=elytron:write-attribute(name=default-authentication-context,value=authentication-context) /:reload

Create a remote JMX connection within a deployed application:
JmxClientServlet.java

@Override public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{ try { Map<String,String> environment = new HashMap<String,String>(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnectorFactory.connect(url, environment); print(response, "OK"); } catch( Exception e ) { print(response, "FAIL "+e); System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); } }
Show
Configure the JVM in FIPS mode Configure default client ssl context /subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+}) /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store) /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1]) /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value=authentication-context) /:reload Create a remote JMX connection within a deployed application: JmxClientServlet.java @Override public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{ try { Map< String , String > environment = new HashMap< String , String >(); environment.put( "jmx.remote.protocol.provider.pkgs" , "org.jboss.remotingjmx" ); JMXServiceURL url = new JMXServiceURL( "service:jmx:remoting-jmx: //localhost:9999" ); JMXConnectorFactory.connect(url, environment); print(response, "OK" ); } catch ( Exception e ) { print(response, "FAIL " +e); System .out.println( "*** Error:" +e.getMessage()); e.printStackTrace(); } }

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The JMX client fails to work when the JVM is running in FIPS mode.
There should be possible to configure client ssl context with Elytron. However doing so, still javax.net.ssl.SSLContext.getDefault() is called which fails with the following stacktrace:

server.log

10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Completed open of endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 1 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote': Remoting remote connection provider 42a0d0b7 for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 2 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+tls)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+tls': Remoting remote connection provider 7dc22d9b for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 3 of endpoint "endpoint" <67ce59be> (opened Connection provider for remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remoting': Remoting remote connection provider 194d9579 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 4 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+http)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+http': Remoting remote connection provider 21f0cb0a for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 5 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+https)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+https': Remoting remote connection provider 27b862 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 6 of endpoint "endpoint" <67ce59be> (opened Connection provider for http-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'http-remoting': Remoting remote connection provider 422cda30 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 7 of endpoint "endpoint" <67ce59be> (opened Connection provider for https-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'https-remoting': Remoting remote connection provider 55cb3d77 for endpoint "endpoint" <67ce59be>
10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,764 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,765 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,772 INFO  [stdout] (default task-1) *** Error:JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) java.io.IOException: JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:487)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:241)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:158)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:105)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
10:55:00,773 ERROR [stderr] (default task-1) 	at com.redhat.eap.qe.fips.standalone.elytron.client.jmx.JmxClientServlet.doGet(JmxClientServlet.java:33)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
10:55:00,773 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.lang.Thread.run(Thread.java:745)
10:55:00,776 ERROR [stderr] (default task-1) Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1617)
10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
10:55:00,777 ERROR [stderr] (default task-1) 	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:183)
10:55:00,777 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:495)
10:55:00,777 ERROR [stderr] (default task-1) 	... 46 more
10:55:00,777 ERROR [stderr] (default task-1) Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
10:55:00,778 ERROR [stderr] (default task-1) 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
10:55:00,778 ERROR [stderr] (default task-1) 	at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
10:55:00,778 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1595)
10:55:00,778 ERROR [stderr] (default task-1) 	... 52 more

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

jmx-client-app.war
5 kB
2017/05/12 8:37 AM
TEST-com.redhat.eap.qe.fips.standalone.elytron.client.jmx.JmxClientTestCase.xml
217 kB
2017/05/12 8:23 AM

clones

JBEAP-4587 [GSS](7.0.z) remotingjmx client fails to work when the JVM is running in FIPS mode

Closed

is cloned by

REMJMX-142 Elytron, JMX client fails to work when the JVM is running in FIPS mode

Resolved

is incorporated by

JBEAP-11056 Upgrade Remoting JMX to 3.0.0.Beta5

Closed

JBEAP-11206 Upgrade Remoting JMX to 3.0.0.Beta6

Closed

Assignee:: Darran Lofthouse

Reporter:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017/05/12 5:02 AM

Updated:: 2024/09/02 4:01 PM

Resolved:: 2017/06/03 5:09 AM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates