Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2163

Server does not start when Elytron authentication + legacy SSL is used in HTTP management interface

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta11
    • None
    • Security
    • None
    • Hide

      1) generate keystore:

      keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v
      

      2) add legacy security realm to standalone-elytron.xml:

      <security-realm name="ManagementRealmHTTPS">
          <server-identities>
              <ssl>
                  <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/>
              </ssl>
          </server-identities>
          <authentication>
              <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" plain-text="true"/>
          </authentication>
          <authorization>
              <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
          </authorization>
      </security-realm>
      

      3) set up http-interface:

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http" https="management-https"/>
      </http-interface>
      

      4) try to start server -> it will fail
      5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used)
      6) start server and try to login to secured management console -> it will pass

      Show
      1) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 2) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> <authentication> <properties path= "mgmt-users.properties" relative-to= "jboss.server.config.dir" plain-text= " true " /> </authentication> <authorization> <properties path= "mgmt-groups.properties" relative-to= "jboss.server.config.dir" /> </authorization> </security-realm> 3) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 4) try to start server -> it will fail 5) add user admin to mgmt-users.properties in jboss.server.config.dir and remove http-authentication-factory="management-http-authentication" from http-interface (which means that legacy solution will be used) 6) start server and try to login to secured management console -> it will pass

      In case when legacy security-realm for SSL is used together with Elytron authentication in HTTP management interface then server is not started.

      I am using following configuration for HTTP management interface (see Steps to Reproduce for more details):

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http" https="management-https"/>
      </http-interface>
      

      Server is not started and following errors occur in log:

      ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
      	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:330)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1963)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1896)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided.
      	at org.jboss.as.domain.http.server.ManagementHttpServer.getSSLContext(ManagementHttpServer.java:225)
      	at org.jboss.as.domain.http.server.ManagementHttpServer.create(ManagementHttpServer.java:254)
      	at org.jboss.as.domain.http.server.ManagementHttpServer.access$2400(ManagementHttpServer.java:107)
      	at org.jboss.as.domain.http.server.ManagementHttpServer$Builder.build(ManagementHttpServer.java:589)
      	at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:292)
      	... 5 more
      

      and

      ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
          ("core-service" => "management"),
          ("management-interface" => "http-interface")
      ]) - failure description: {
          "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
          Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
          "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
          "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
      }
      ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
          ("core-service" => "management"),
          ("management-interface" => "http-interface")
      ]) - failure description: {
          "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: WFLYSRV0083: Failed to start the http-interface service
          Caused by: java.lang.IllegalStateException: WFLYDMHTTP0015: No SecurityRealm or SSLContext has been provided."},
          "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.management.http.extensible"],
          "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
      }
      

      According to comments in EAP7-545 Analysis document [1], when security-realm and http-authentication-factory are specified but no ssl-context is used then it should lead to use legacy security-realm for SSL configuration and http-authentication-factory for authentication.

      [1] https://docs.google.com/document/d/1LsS-CGUJSDwGcFUva0g-BF9ZIq0jwx__1e_oJiSEGwI/edit#

              ehugonne1@redhat.com Emmanuel Hugonnet
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: