Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27773

MP Reactive Messaging integration - MP Config defined by env vars is not properly taken into account to set the client SSL context

XMLWordPrintable

    • False
    • None
    • False
    • User Experience
    • +
    • Workaround Exists
    • Hide

      The test would pass if the environment variable name is set to the exact same literal that corresponds to the MP Config property value, i.e. mp.messaging.connector.smallrye-kafka.wildfly.elytron.ssl.context

      Show
      The test would pass if the environment variable name is set to the exact same literal that corresponds to the MP Config property value, i.e. mp.messaging.connector.smallrye-kafka.wildfly.elytron.ssl.context
    • Hide
      • Clone the JBOss EAP XP 5 repo at https://github.com/jbossas/jboss-eap8
      • Checkout the xp-5.0.x branch
      • Edit the microprofile-config.properties file used by the ReactiveMessagingKafkaSslTestCase.java test by commenting the mp.messaging.outgoing.to-kafka.wildfly.elytron.ssl.context and mp.messaging.incoming.from-kafka.wildfly.elytron.ssl.context properties out
      • Define the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT=kafka-ssl-test environment variable
      • Run the JBoss EAP XP 5 ReactiveMessagingKafkaSslTestCase
      Show
      Clone the JBOss EAP XP 5 repo at https://github.com/jbossas/jboss-eap8 Checkout the xp-5.0.x branch Edit the microprofile-config.properties file used by the ReactiveMessagingKafkaSslTestCase.java test by commenting the mp.messaging.outgoing.to-kafka.wildfly.elytron.ssl.context and mp.messaging.incoming.from-kafka.wildfly.elytron.ssl.context properties out Define the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT=kafka-ssl-test environment variable Run the JBoss EAP XP 5 ReactiveMessagingKafkaSslTestCase

      EAP7-1664 provides a way to define a MicroProfile Config property holding the name of a client SSL context to be used by the Kafka connector when securely connecting to a Kafka/AMQ Streams instance, for it to configure the related trust manager.

      Such configuration should work transparently even if the MicroProfile Config configuration is provided via environment variables, see https://github.com/eclipse/microprofile-config/blob/main/spec/src/main/asciidoc/configsources.asciidoc#environment-variables-mapping-rules and https://smallrye.io/smallrye-config/Main/config/environment-variables/#environment-variables

      That being said, a test is failing when providing the Kafka connector SSL context name via the MP_MESSAGING_CONNECTOR_SMALLRYE_KAFKA_WILDFLY_ELYTRON_SSL_CONTEXT environment variable, most likely due to the scanning process done here: https://github.com/wildfly/wildfly/blob/main/microprofile/reactive-messaging-smallrye/common/src/main/java/org/wildfly/microprofile/reactive/messaging/common/security/BaseReactiveMessagingSslConfigProcessor.java#L60, resulting in a security exception:

      ...
13:38:44,645 ERROR [io.smallrye.reactive.messaging.kafka] (smallrye-kafka-producer-thread-4) SRMSG18206: Unable to write to Kafka from channel sslto (topic: sslTesting): org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.runDelegatedTasks(SslTransportLayer.java:435)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.handshakeUnwrap(SslTransportLayer.java:523)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.doHandshake(SslTransportLayer.java:373)
	at org.apache.kafka.client//org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:293)
	at org.apache.kafka.client//org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:178)
	at org.apache.kafka.client//org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
	at org.apache.kafka.client//org.apache.kafka.common.network.Selector.poll(Selector.java:481)
	at org.apache.kafka.client//org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:585)
	at org.apache.kafka.client//org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:349)
	at org.apache.kafka.client//org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:252)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...

      thus signaling the trust store is not properly configured, although the Elytron subsytem configuration looks valid:

      ...
            <tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                    </key-store>
                    <key-store name="kafka-ssl-test">
                        <credential-reference clear-text="${env.KEYSTORE_PASSWORD:wont-work}"/>
                        <implementation type="PKCS12"/>
                        <file required="false" path="${env.KEYSTORE_PATH:/etc/secrets/ca.p12.WONT-WORK}"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                </key-managers>
                <trust-managers>
                    <trust-manager name="kafka-ssl-test" key-store="kafka-ssl-test"/>
                </trust-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
                <client-ssl-contexts>
                    <client-ssl-context name="kafka-ssl-test" trust-manager="kafka-ssl-test"/>
                </client-ssl-contexts>
            </tls>
...

              kkhan1@redhat.com Kabir Khan
              fburzigo Fabio Burzigotti
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: