Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.3.3.CR1, 7.3.3.GA
Affects Version/s: 7.3.1.GA
Component/s: Security
Labels:
None

QE Test Coverage:
+
Target Release:

7.3.z.GA
Workaround:

Workaround Exists
Workaround Description:

Hide

Use the new elytron configuration for the ssl.

Show
Use the new elytron configuration for the ssl.
Git Pull Request:
https://github.com/jbossas/wildfly-core-eap/pull/905
Steps to Reproduce:
Hide

Create a certificate for the server and copy default trust-store in the conf directory:

cd ${JBOSS_HOME}/bin keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1 cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts

Configure an old certificate realm and configure it in the https listener:

/core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="localhost", keystore-relative-to=jboss.server.config.dir, keystore-path="keystore.jks", keystore-password=secret) /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path="cacerts", keystore-password=changeit) batch /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=ssl-context) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value="CertificateRealm") run-batch

Using openjdk create a properties issue.policy file that overrides default factories:

ssl.KeyManagerFactory.algorithm=NewSunX509 ssl.TrustManagerFactory.algorithm=SunPKIX

Modify standalone.conf to add that security file as override:

JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=issue.policy"

Start the server and see the error:

./standalone.sh ... 11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363) at java.lang.Thread.run(Thread.java:748) Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139) at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111) ... 8 more
Show
Create a certificate for the server and copy default trust-store in the conf directory: cd ${JBOSS_HOME}/bin keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1 cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts Configure an old certificate realm and configure it in the https listener: /core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias= "localhost" , keystore-relative-to=jboss.server.config.dir, keystore-path= "keystore.jks" , keystore-password=secret) /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path= "cacerts" , keystore-password=changeit) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=ssl-context) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm, value= "CertificateRealm" ) run-batch Using openjdk create a properties issue.policy file that overrides default factories: ssl.KeyManagerFactory.algorithm=NewSunX509 ssl.TrustManagerFactory.algorithm=SunPKIX Modify standalone.conf to add that security file as override: JAVA_OPTS= "$JAVA_OPTS -Djava.security.properties=issue.policy" Start the server and see the error: ./standalone.sh ... 11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363) at java.lang. Thread .run( Thread .java:748) Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139) at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111) ... 8 more

SFDC Cases Counter:
SFDC Cases Links:

Description

When configuring https using the old security-realm the trust-manager factory is selected using the line:

            trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk we are using the SunX509 factory instead of the default PKIX implementation. The default values for both factories are defined in the java.security file from the jdk:

#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX

Using a exotic configuration can lead to an error if the KeyManagerFactory is configured to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example).

Attachments

Issue Links

clones

WFCORE-5064 Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory

Closed

Activity

People

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020/07/27 6:10 AM

Updated:: 2021/10/24 5:50 AM

Resolved:: 2020/08/07 6:00 AM