Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27773

MP Reactive Messaging integration - MP Config defined by env vars is not properly taken into account to set the client SSL context

XMLWordPrintable

    • False
    • None
    • False
    • User Experience
    • +
    • Workaround Exists
    • Hide

      The test would pass if the environment variable name is set to the exact same literal that corresponds to the MP Config property value, i.e. mp.messaging.connector.smallrye-kafka.wildfly.elytron.ssl.context

      Show
      The test would pass if the environment variable name is set to the exact same literal that corresponds to the MP Config property value, i.e. mp.messaging.connector.smallrye-kafka.wildfly.elytron.ssl.context
    • Hide
      • Clone the JBOss EAP XP 5 repo at https://github.com/jbossas/jboss-eap8
      • Checkout the xp-5.0.x branch
      • Edit the microprofile-config.properties file used by the ReactiveMessagingKafkaSslTestCase.java test by commenting the mp.messaging.outgoing.to-kafka.wildfly.elytron.ssl.context and mp.messaging.incoming.from-kafka.wildfly.elytron.ssl.context properties out
      • Define the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT=kafka-ssl-test environment variable
      • Run the JBoss EAP XP 5 ReactiveMessagingKafkaSslTestCase
      Show
      Clone the JBOss EAP XP 5 repo at https://github.com/jbossas/jboss-eap8 Checkout the xp-5.0.x branch Edit the microprofile-config.properties file used by the ReactiveMessagingKafkaSslTestCase.java test by commenting the mp.messaging.outgoing.to-kafka.wildfly.elytron.ssl.context and mp.messaging.incoming.from-kafka.wildfly.elytron.ssl.context properties out Define the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT=kafka-ssl-test environment variable Run the JBoss EAP XP 5 ReactiveMessagingKafkaSslTestCase

      EAP7-1664 provides a way to define a MicroProfile Config property holding the name of a client SSL context to be used by the Kafka connector when securely connecting to a Kafka/AMQ Streams instance, for it to configure the related trust manager.

      Such configuration should work transparently even if the MicroProfile Config configuration is provided via environment variables, see https://github.com/eclipse/microprofile-config/blob/main/spec/src/main/asciidoc/configsources.asciidoc#environment-variables-mapping-rules and https://smallrye.io/smallrye-config/Main/config/environment-variables/#environment-variables

      That being said, a test is failing when providing the Kafka connector SSL context name via the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT environment variable, most likely due to the scanning process done here: https://github.com/wildfly/wildfly/blob/main/microprofile/reactive-messaging-smallrye/common/src/main/java/org/wildfly/microprofile/reactive/messaging/common/security/BaseReactiveMessagingSslConfigProcessor.java#L60, resulting in a security exception:

      ...
13:38:44,645 ERROR [io.smallrye.reactive.messaging.kafka] (smallrye-kafka-producer-thread-4) SRMSG18206: Unable to write to Kafka from channel sslto (topic: sslTesting): org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293)
	at org.apache.kafka.client//org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
	at org.apache.kafka.client//org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
	at org.apache.kafka.client//org.apache.kafka.common.network.Selector.poll(Selector.java:481)
	at org.apache.kafka.client//org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:585)
	at org.apache.kafka.client//org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:349)
	at org.apache.kafka.client//org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:252)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...

      thus signaling the trust store is not properly configured, although the Elytron subsytem configuration looks valid:

      ...
            <tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                    </key-store>
                    <key-store name="kafka-ssl-test">
                        <credential-reference clear-text="${env.KEYSTORE_PASSWORD:wont-work}"/>
                        <implementation type="PKCS12"/>
                        <file required="false" path="${env.KEYSTORE_PATH:/etc/secrets/ca.p12.WONT-WORK}"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
                <trust-managers>
                    <trust-manager name="kafka-ssl-test" key-store="kafka-ssl-test"/>
                </trust-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
                <client-ssl-contexts>
                    <client-ssl-context name="kafka-ssl-test" trust-manager="kafka-ssl-test"/>
                </client-ssl-contexts>
            </tls>
...

            [JBEAP-27773] MP Reactive Messaging integration - MP Config defined by env vars is not properly taken into account to set the client SSL context

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Moderate: JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2025:0542

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: JBoss EAP XP 5.0 Update 1.0 release. See references for release notes.), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2025:0542

            Peter Mackay added a comment -

            Verified with EAP XP 5.0.1.GA-CR1

            Peter Mackay added a comment - Verified with EAP XP 5.0.1.GA-CR1

            Tomas Hofman added a comment -

            Preliminary testing succeeded, no failures in XP testsuite including TCK.

            Tomas Hofman added a comment - Preliminary testing succeeded, no failures in XP testsuite including TCK.

              kkhan1@redhat.com Kabir Khan
              fburzigo@redhat.com Fabio Burzigotti
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: