Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR16
Affects Version/s: 7.1.0.DR8
Component/s: Management, Security
Labels:
- authentication
- http
- ssl

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Status:
Not Required
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1) generate keystore:

keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

2) add legacy security realm to standalone-elytron.xml:

<security-realm name="ManagementRealmHTTPS"> <server-identities> <ssl> <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/> </ssl> </server-identities> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" plain-text="true"/> </authentication> <authorization> <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm>

3) set up http-interface:

<http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS"> <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/> <socket-binding http="management-http" https="management-https"/> </http-interface>

4) try to start server -> it will fail
5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used)
6) start server and try to login to secured management console -> it will pass
Show
1) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 2) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> <authentication> <properties path= "mgmt-users.properties" relative-to= "jboss.server.config.dir" plain-text= " true " /> </authentication> <authorization> <properties path= "mgmt-groups.properties" relative-to= "jboss.server.config.dir" /> </authorization> </security-realm> 3) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 4) try to start server -> it will fail 5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used) 6) start server and try to login to secured management console -> it will pass

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

In case when legacy security-realm for SSL is used together with Elytron authentication in HTTP management interface then server is not started.

I am using following configuration for HTTP management interface (see Steps to Reproduce for more details):

<http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

Server is not started and following errors occur in log:

ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:330)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1963)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1896)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided.
	at org.jboss.as.domain.http.server.ManagementHttpServer.getSSLContext(ManagementHttpServer.java:225)
	at org.jboss.as.domain.http.server.ManagementHttpServer.create(ManagementHttpServer.java:254)
	at org.jboss.as.domain.http.server.ManagementHttpServer.access$2400(ManagementHttpServer.java:107)
	at org.jboss.as.domain.http.server.ManagementHttpServer$Builder.build(ManagementHttpServer.java:589)
	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:292)
	... 5 more

and

ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]) - failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
    Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
    "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
}
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]) - failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
    Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
    "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
}

According to comments in EAP7-545 Analysis document [1], when security-realm and http-authentication-factory are specified but no ssl-context is used then it should lead to use legacy security-realm for SSL configuration and http-authentication-factory for authentication.

[1] https://docs.google.com/document/d/1LsS-CGUJSDwGcFUva0g-BF9ZIq0jwx__1e_oJiSEGwI/edit#

is cloned by

WFCORE-2163 Server does not start when Elytron authentication + legacy SSL is used in HTTP management interface

Resolved

is incorporated by

JBEAP-9571 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta13

Closed

Assignee:: Emmanuel Hugonnet

Reporter:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2016/11/21 10:47 AM

Updated:: 2024/09/13 4:14 PM

Resolved:: 2017/03/24 5:02 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates