-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.0.0.ER2 (Beta)
I have configured the SSL realm as follows:
<security-realms> <security-realm name="ldapSSL"> <server-identities> <ssl> <keystore path="client.keystore" keystore-password="123456"></keystore> </ssl> </server-identities> <authentication> <truststore path="client.truststore" keystore-password="123456"></truststore> </authentication> </security-realm> </security-realms> <outbound-connections> <ldap name="ldap_connection" url="ldaps://localhost:8443" search-dn="cn=Directory Manager" search-credential="test1234" security-realm="ldapSSL"></ldap> </outbound-connections>
However, when the JBoss management interface is configured to use the LDAP security-realm that uses the "ldapSSL" security-realm, mutual authentication fails between JBoss and LDAP which results in an authentication failure at the JBoss management interface.
There are two different LDAP connections being made. It looks like different threads handle the different LDAP requests. Interestingly, the threads do not share the SSL session so the second request triggers another handshake and this is where things break. If you use the -Djavax.net.ssl.keyStore system property instead of the SSL security realm to configure the keystore, then you can see the different threads share the SSL session so there is only one handshake.
Workaround: Do not use the security-realm to configure the keystore and truststore. Use the -Djavax.net.ssl.keyStore, -Djavax.net.ssl.keyStorePassword and -Djavax.net.ssl.trustStore system properties.
- blocks
-
JBEAP-10707 [GSS](7.0.z) Integration test for WFCORE-2647 Add an option to always send the client SSL certificate to LDAP server
- Pull Request Sent
- clones
-
JBEAP-10691 [GSS](7.1.z) mutual authentication with SSL fails to work with the LDAP security-realm
- Closed
- is blocked by
-
WFCORE-2647 Add an option to always send the client SSL certificate to LDAP server
- Resolved
-
WFLY-8631 Integration test for WFCORE-2647 Add an option to always send the client SSL certificate to LDAP server
- Closed