Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2548

Native management interface ignores SSL/TLS based on Elytron SSL Context when remote protocol is used

    Details

    • Steps to Reproduce:
      Hide

      Using a new native socket-binding-group, you can follow [1] to set management native-interface (instead of http-interface) backed by SSL Context from Elytron.

      • Add socket-binding, ssl-context, native mgmt interface:
        /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999)
        
        /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
         
        /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
         
        /subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
         
        /subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
         
        /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)
        
        /core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC)
        
      • Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c
      Show
      Using a new native socket-binding-group , you can follow [1] to set management native-interface (instead of http-interface ) backed by SSL Context from Elytron. Add socket-binding, ssl-context, native mgmt interface: /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999) /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true) /core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC) Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c

      Description

      Following [1] to set management native-interface backed by SSL Context from Elytron. Using remote protocol, jboss-cli connects to server ignoring a need to have trusted client certificate.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSfortheManagementInterfacesusingtheElytronSubsystem

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  luck3y Ken Wills
                  Reporter:
                  okotek Ondrej Kotek
                  Tester:
                  Ondrej Kotek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: