Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2398

Legacy Kerberos in management, EAP search for HTTPS/localhost ticket

XMLWordPrintable

    • Hide

      1. Configure kerberos for management (1. Setup kerberos for management interface (https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces)
      2. Configure https for management:

      standalone.xml
          <security-realm name="KerberosSslSecurityRealm">
              <server-identities>
                  <kerberos>
                      <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab"/>
                  </kerberos>
                  <ssl>
                      <keystore path="server.keystore" keystore-password="123456"/>
                  </ssl>
              </server-identities>
              <authentication>
                  <kerberos/>
              </authentication>
          </security-realm>
      

      3. Try to acces https://localhost.localdomain:9993/management?operation=attribute&name=server-state with valid kerberos ticket.
      4. It is not possible - 401 http code is returned.

      Show
      1. Configure kerberos for management (1. Setup kerberos for management interface ( https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces ) 2. Configure https for management: standalone.xml <security-realm name= "KerberosSslSecurityRealm" > <server-identities> <kerberos> <keytab principal= "HTTP/localhost.localdomain@JBOSS.ORG" path= "krb.keytab" /> </kerberos> <ssl> <keystore path= "server.keystore" keystore-password= "123456" /> </ssl> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> 3. Try to acces https://localhost.localdomain:9993/management?operation=attribute&name=server-state with valid kerberos ticket. 4. It is not possible - 401 http code is returned.

      Accessing management interface secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/localhost. Which was not necessary in EAP 7.0 and it worked fine with HTTP/localhost service name

      server.log
      14:20:19,321 TRACE [org.jboss.as.domain.management.security] (management task-7) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
      14:20:19,322 TRACE [org.jboss.as.domain.management.security] (management task-7) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain'
      14:20:19,322 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,524 WARN  [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain@JBOSS.ORG
      14:20:19,524 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain@JBOSS.ORG
      14:20:19,524 WARN  [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
      14:20:19,525 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
      14:20:19,528 WARN  [org.apache.http.impl.auth.HttpAuthenticator] (main) NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database))
      14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
      14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain'
      14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG
      		[Krb5LoginModule]: Entering logout
      		[Krb5LoginModule]: logged out Subject
      

      Also see network dump krb_https_management.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: