Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9030

JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism

XMLWordPrintable

    • Hide

      These steps work correctly with EAP 7.1.0.DR11, but fail with EAP 7.1.0.DR12:
      1) Add user - add following line to standalone/configuration/mgmt-users.properties

      user1=pass@123

      2) Configure application server:

      /subsystem=elytron/sasl-authentication-factory=elytronSaslAuthnFactory:add(security-domain=ManagementDomain,sasl-server-factory=global,mechanism-configurations=[{mechanism-name=PLAIN}])
/subsystem=elytron/properties-realm=ManagementRealm:write-attribute(name=users-properties.plain-text,value=true)

      3) Change http-interface to following:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="elytronSaslAuthnFactory"/>
    <socket-binding http="management-http"/>
</http-interface>

      4) try to authenticate to jboss CLI:

      ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth
Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 25b770fb to localhost/127.0.0.1:9990 of endpoint "cli-client" <5a992706>
      Show
      These steps work correctly with EAP 7.1.0.DR11, but fail with EAP 7.1.0.DR12: 1) Add user - add following line to standalone/configuration/mgmt-users.properties user1=pass@123 2) Configure application server: /subsystem=elytron/sasl-authentication-factory=elytronSaslAuthnFactory:add(security-domain=ManagementDomain,sasl-server-factory=global,mechanism-configurations=[{mechanism-name=PLAIN}]) /subsystem=elytron/properties-realm=ManagementRealm:write-attribute(name=users-properties.plain-text,value= true ) 3) Change http-interface to following: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "elytronSaslAuthnFactory" /> <socket-binding http= "management-http" /> </http- interface > 4) try to authenticate to jboss CLI: ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http: //localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 25b770fb to localhost/127.0.0.1:9990 of endpoint "cli-client" <5a992706>

      In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details.

      This feature works correctly in EAP 7.1.0.DR11.

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: