Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7428

Server does not start when Elytron authentication + legacy SSL is used in HTTP management interface

    XMLWordPrintable

Details

    • Not Required
    • Hide

      1) generate keystore:

      keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

      2) add legacy security realm to standalone-elytron.xml:

      <security-realm name="ManagementRealmHTTPS">
    <server-identities>
        <ssl>
            <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/>
        </ssl>
    </server-identities>
    <authentication>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" plain-text="true"/>
    </authentication>
    <authorization>
        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>

      3) set up http-interface:

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      4) try to start server -> it will fail
      5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used)
      6) start server and try to login to secured management console -> it will pass

      Show
      1) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 2) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> <authentication> <properties path= "mgmt-users.properties" relative-to= "jboss.server.config.dir" plain-text= " true " /> </authentication> <authorization> <properties path= "mgmt-groups.properties" relative-to= "jboss.server.config.dir" /> </authorization> </security-realm> 3) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 4) try to start server -> it will fail 5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used) 6) start server and try to login to secured management console -> it will pass

    Description

      In case when legacy security-realm for SSL is used together with Elytron authentication in HTTP management interface then server is not started.

      I am using following configuration for HTTP management interface (see Steps to Reproduce for more details):

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      Server is not started and following errors occur in log:

      ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:330)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1963)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1896)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided.
	at org.jboss.as.domain.http.server.ManagementHttpServer.getSSLContext(ManagementHttpServer.java:225)
	at org.jboss.as.domain.http.server.ManagementHttpServer.create(ManagementHttpServer.java:254)
	at org.jboss.as.domain.http.server.ManagementHttpServer.access$2400(ManagementHttpServer.java:107)
	at org.jboss.as.domain.http.server.ManagementHttpServer$Builder.build(ManagementHttpServer.java:589)
	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:292)
	... 5 more

      and 

      ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]) - failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
    Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
    "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
}
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]) - failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
    Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
    "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
}

      According to comments in EAP7-545 Analysis document [1], when security-realm and http-authentication-factory are specified but no ssl-context is used then it should lead to use legacy security-realm for SSL configuration and http-authentication-factory for authentication.

      [1] https://docs.google.com/document/d/1LsS-CGUJSDwGcFUva0g-BF9ZIq0jwx__1e_oJiSEGwI/edit#

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2163 Server does not start when Elytron authentication + legacy SSL is used in HTTP management interface

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-9571 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta13

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              ehugonne1@redhat.com Emmanuel Hugonnet
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: