Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12090

[7.1] Migration - Add an option to always send the server's SSL certificate to an LDAP server

XMLWordPrintable

      I have configured the SSL realm as follows:

          <security-realms>
              <security-realm name="ldapSSL">
                <server-identities>
                  <ssl>
                    <keystore path="client.keystore" keystore-password="123456"></keystore>
                  </ssl>
                </server-identities>
                <authentication>
                  <truststore path="client.truststore" keystore-password="123456"></truststore>
                </authentication>
              </security-realm>
          </security-realms>
          <outbound-connections>
              <ldap name="ldap_connection" url="ldaps://localhost:8443" search-dn="cn=Directory Manager" search-credential="test1234" security-realm="ldapSSL"></ldap>
          </outbound-connections>
      

      However, when the JBoss management interface is configured to use the LDAP security-realm that uses the "ldapSSL" security-realm, mutual authentication fails between JBoss and LDAP which results in an authentication failure at the JBoss management interface.

      There are two different LDAP connections being made. It looks like different threads handle the different LDAP requests. Interestingly, the threads do not share the SSL session so the second request triggers another handshake and this is where things break. If you use the -Djavax.net.ssl.keyStore system property instead of the SSL security realm to configure the keystore, then you can see the different threads share the SSL session so there is only one handshake.

      Workaround: Do not use the security-realm to configure the keystore and truststore. Use the -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword and -Djavax.net.ssl.trustStore system properties.

              sgilda_jira Sande Gilda (Inactive)
              darran.lofthouse@redhat.com Darran Lofthouse
              Ondrej Lukas Ondrej Lukas (Inactive)
              Ondrej Lukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: