Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2548

Native management interface ignores SSL/TLS based on Elytron SSL Context when remote protocol is used

    XMLWordPrintable

Details

    • Hide

      Using a new native socket-binding-group, you can follow [1] to set management native-interface (instead of http-interface) backed by SSL Context from Elytron.

      • Add socket-binding, ssl-context, native mgmt interface: 
        /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999)

/subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
 
/subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
 
/subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
 
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true)

/core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC)
      • Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c
      Show
      Using a new native socket-binding-group , you can follow [1] to set management native-interface (instead of http-interface ) backed by SSL Context from Elytron. Add socket-binding, ssl-context, native mgmt interface: /socket-binding-group=standard-sockets/socket-binding=native:add(port=9999) /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret}) /subsystem=elytron/trust-managers=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509") /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-managers=twoWayKM,protocols=["TLSv1.2"],trust-managers=twoWayTM,want-client-auth=true,need-client-auth=true) /core-service=management/management-interface=native-interface:add(socket-binding=native,ssl-context=twoWaySSC) Run ./bin/jboss-cli.sh --controller=remote://localhost:9999 -c

    Description

      Following [1] to set management native-interface backed by SSL Context from Elytron. Using remote protocol, jboss-cli connects to server ignoring a need to have trusted client certificate.

      [1] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableTwowaySSL%2FTLSfortheManagementInterfacesusingtheElytronSubsystem

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9630 Native management interface ignores SSL/TLS based on Elytron SSL Context when remote protocol is used

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2333 Native management interface does not work with SSL/TLS based on Elytron SSL Context

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Activity

            People

              kwills@redhat.com Ken Wills
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: