Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2507

Key manager exported from legacy security domain can not be used by Elytron server-ssl-context

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 3.0.0.Beta26
    • 3.0.0.Beta6
    • Security
    • None
    • Hide
      1. /subsystem=security/security-domain=cert-roles-domain:add
      2. /subsystem=security/security-domain=cert-roles-domain/jsse=classic:add(truststore={password=secret, url="/path/to/server.truststore.jks"}, keystore={password=secret, url="/path/to/server.keystore.jks"}, client-auth=true)
      3. /subsystem=security/elytron-key-manager=ekm:add(legacy-jsse-config=cert-roles-domain)
      4. /subsystem=elytron/server-ssl-context=ssc:add(key-managers=ekm)
      Show
      /subsystem=security/security-domain=cert-roles-domain:add /subsystem=security/security-domain=cert-roles-domain/jsse=classic:add(truststore={password=secret, url="/path/to/server.truststore.jks"}, keystore={password=secret, url="/path/to/server.keystore.jks"}, client-auth=true) /subsystem=security/elytron-key-manager=ekm:add(legacy-jsse-config=cert-roles-domain) /subsystem=elytron/server-ssl-context=ssc:add(key-managers=ekm)

      It is not possible to use a key manager exported from legacy security domain (i.e. elytron-key-manager) in Elytron server-ssl-context. It results in:

      {
    "outcome" => "failed",
    "failure-description" => {
        "WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.ssc" => "org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.ssc: WFLYELY00019: No 'X509ExtendedKeyManager' found in injected value."},
        "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.ssl-context.ssc"]
    },
    "rolled-back" => true
}

      The exported key manager is announced as org.wildfly.security.key-managers capability. Hence it is expected to work wherever the capability is requested.

              Unassigned Unassigned
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: