Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10982

JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER1
    • 7.1.0.DR18
    • CLI, Security
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'
      

      2) generate server keystore and client truststore (generate them with IBM JDK):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
      keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
      keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
      

      3) Setup ssl-context in Elytron subsystem in application server:

        <tls>
          <key-stores>
            <key-store name="elytronHttpsKS" type="JKS">
              <file path="/PATH/TO/GENERATED/server.keystore.jks"/>
              <credential-reference clear-text="secret"/>
            </key-store>
          </key-stores>
          <key-managers>
            <key-manager name="elytronHttpsKM" key-store="elytronHttpsKS">
              <credential-reference clear-text="secret"/>
            </key-manager>
          </key-managers>
          <server-ssl-contexts>
            <server-ssl-context key-managers="elytronHttpsKM" name="elytronHttpsSSC" protocols="TLSv1.2"/>
          </server-ssl-contexts>
        </tls>
      

      4) Configure http interface to use Elytron authentication and ssl-context:

      <http-interface security-realm="ManagementRealm" ssl-context="elytronHttpsSSC">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http" https="management-https"/>
      </http-interface>
      

      5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there:

      <ssl>	
        <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store>
        <trust-store-password>secret</trust-store-password>
        <modify-trust-store>true</modify-trust-store>
      </ssl> 
      

      6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      

      It will fail with:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException
      

      7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      
      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate server keystore and client truststore (generate them with IBM JDK): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer 3) Setup ssl-context in Elytron subsystem in application server: <tls> <key-stores> <key-store name= "elytronHttpsKS" type= "JKS" > <file path= "/PATH/TO/GENERATED/server.keystore.jks" /> <credential-reference clear-text= "secret" /> </key-store> </key-stores> <key-managers> <key-manager name= "elytronHttpsKM" key-store= "elytronHttpsKS" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context key-managers= "elytronHttpsKM" name= "elytronHttpsSSC" protocols= "TLSv1.2" /> </server-ssl-contexts> </tls> 4) Configure http interface to use Elytron authentication and ssl-context: <http- interface security-realm= "ManagementRealm" ssl-context= "elytronHttpsSSC" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there: <ssl> <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store> <trust-store-password>secret</trust-store-password> <modify-trust-store> true </modify-trust-store> </ssl> 6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123 It will fail with: Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https: //localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException 7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      In case SSL through Elytron ssl-context is configured for management interface then JBoss CLI is not able to authenticate when it is run with IBM JDK.

      It works correctly when

      • Legacy SSL is used instead of Elytron ssl-context
      • or non-IBM JDK is used for JBoss CLI
      • or only authentication without SSL is used

      It fails for http-interface as well as native-interface.

      When different client is used for connection to management interface (I tried it with ModelControllerClient) then authentication and SSL works correctly.

      For http-interface following output of CLI is print:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException
      

      For native-interface following output of CLI is print:

      Failed to connect to the controller: Unable to negotiate SSL connection with controller at localhost:9999
      

      This issues is reported in EAP 7.1.0.DR18 because previous versions have not been able to start application server with IBM JDK. We request blocker since IBM JDK is supported and missing ability to connect to application server with secured connection blocks RFE EAP7-628.

              jdenise@redhat.com Jean Francois Denise
              olukas Ondrej Lukas (Inactive)
              Martin Svehla Martin Svehla
              Martin Svehla Martin Svehla
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: