Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2009

Management SSL Configuration always requires Security Realm

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 3.0.0.Alpha13
    • None
    • None

    Description

      When configuring SSL/TLS for the management interfaces, you need to specify an (ssl-context or security-realm) and secure-socket-binding. When using ssl-context and secure-socket-binding, it fails with:

      "WFLYCTL0380: Attribute 'security-realm' needs to be set or passed before attribute 'secure-socket-binding' can be correctly set"
      

      failing operations:

      batch
      
      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
      
      /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
      
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.1"])
      
      /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
      
      /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
      
      run-batch
      
      reload
      

      Oddly, this will pass (specifying BOTH ssl-context and security-realm):

      batch
      
      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
      
      /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
      
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.1"])
      
      /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=httpsSSC)
      
      /core-service=management/management-interface=http-interface:write-attribute(name=security-realm, value=ManagementDomain)
      
      /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
      
      run-batch
      
      reload
      

      Attachments

        Issue Links

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              zrhoads Zach Rhoads (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: