Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2832

JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.0.0.Beta24
    • None
    • CLI, Security
    • None
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'

      2) generate server keystore and client truststore (generate them with IBM JDK):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

      3) Setup ssl-context in Elytron subsystem in application server:

        <tls>
    <key-stores>
      <key-store name="elytronHttpsKS" type="JKS">
        <file path="/PATH/TO/GENERATED/server.keystore.jks"/>
        <credential-reference clear-text="secret"/>
      </key-store>
    </key-stores>
    <key-managers>
      <key-manager name="elytronHttpsKM" key-store="elytronHttpsKS">
        <credential-reference clear-text="secret"/>
      </key-manager>
    </key-managers>
    <server-ssl-contexts>
      <server-ssl-context key-managers="elytronHttpsKM" name="elytronHttpsSSC" protocols="TLSv1.2"/>
    </server-ssl-contexts>
  </tls>

      4) Configure http interface to use Elytron authentication and ssl-context:

      <http-interface security-realm="ManagementRealm" ssl-context="elytronHttpsSSC">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there:

      <ssl>	
  <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store>
  <trust-store-password>secret</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

      6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      It will fail with:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate server keystore and client truststore (generate them with IBM JDK): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer 3) Setup ssl-context in Elytron subsystem in application server: <tls> <key-stores> <key-store name= "elytronHttpsKS" type= "JKS" > <file path= "/PATH/TO/GENERATED/server.keystore.jks" /> <credential-reference clear-text= "secret" /> </key-store> </key-stores> <key-managers> <key-manager name= "elytronHttpsKM" key-store= "elytronHttpsKS" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context key-managers= "elytronHttpsKM" name= "elytronHttpsSSC" protocols= "TLSv1.2" /> </server-ssl-contexts> </tls> 4) Configure http interface to use Elytron authentication and ssl-context: <http- interface security-realm= "ManagementRealm" ssl-context= "elytronHttpsSSC" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there: <ssl> <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store> <trust-store-password>secret</trust-store-password> <modify-trust-store> true </modify-trust-store> </ssl> 6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123 It will fail with: Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https: //localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException 7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

    Description

      In case SSL through Elytron ssl-context is configured for management interface then JBoss CLI is not able to authenticate when it is run with IBM JDK.

      It works correctly when

      • Legacy SSL is used instead of Elytron ssl-context
      • or non-IBM JDK is used for JBoss CLI
      • or only authentication without SSL is used

      It fails for http-interface as well as native-interface.

      When different client is used for connection to management interface (I tried it with ModelControllerClient) then authentication and SSL works correctly.

      For http-interface following output of CLI is print:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      For native-interface following output of CLI is print:

      Failed to connect to the controller: Unable to negotiate SSL connection with controller at localhost:9999

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10982 JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-3829 ReloadRedirectTestCase#testRedirectWithSecurityCommands fails on IBM JDK

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              jdenise@redhat.com Jean Francois Denise
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: