Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Optional
Fix Version/s: 7.1.3.CR1, 7.1.3.GA
Affects Version/s: 7.0.0.DR8
Component/s: Security
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Fix Build:
CR1
Target Release:

7.1.z.GA
Git Pull Request:
https://github.com/jboss-remoting/jboss-remoting/pull/166
Steps to Reproduce:

Hide

1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports

2) Generate remote.keytab with principal remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG

3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e]

<security-realm name=""TestKerberosRealm"">
<server-identities>
<kerberos>
<keytab principal=""remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/>
</kerberos>
</server-identities>
<authentication>
<kerberos/>
</authentication>
</security-realm>

4) Use this realm for securing CLI

<management-interfaces>
<http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true"">
<socket-binding http=""management-http""/>
</http-interface>
</management-interfaces>

5) Try CLI
./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting://[2620:52:0:2804:56ee:75ff:fe34:630e]:9990

EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.

Show
1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports 2) Generate remote.keytab with principal remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG 3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e] <security-realm name=""TestKerberosRealm""> <server-identities> <kerberos> <keytab principal=""remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/> </kerberos> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> 4) Use this realm for securing CLI <management-interfaces> <http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true""> <socket-binding http=""management-http""/> </http-interface> </management-interfaces> 5) Try CLI ./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting:// [2620:52:0:2804:56ee:75ff:fe34:630e] :9990 EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.

Sprint:
EAP 7.1.3

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When kerberos in realm is configured to use IPv6 address with square brackets, eg. [2620:52:0:2804:56ee:75ff:fe34:630e], EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e instead of remote/[2620:52:0:2804:56ee:75ff:fe34:630e]. It cause failures when remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG is used in keytab.

This happens when such realm secures CLI or EJB remoting. It doesnt happen when used for securing management console."

clones

REM3-324 Use [] IPV6 adress in XConnectionOpenListener as server name

Resolved

is cloned by

WFCORE-897 IPv6 address in security realm using Kerberos

Resolved

is incorporated by

JBEAP-14450 (7.1.z) Upgrade JBoss Remoting from 5.0.5.Final to 5.0.7.Final

Closed

Assignee:: Bartosz Baranowski

Reporter:: Martin Choma

Tester:: Daniel Cihak

QA Contact:: Daniel Cihak

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2015/08/20 9:19 AM

Updated:: 2021/10/24 5:58 AM

Resolved:: 2018/05/14 3:48 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates