Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2832

JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta24
    • None
    • CLI, Security
    • None
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'

      2) generate server keystore and client truststore (generate them with IBM JDK):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

      3) Setup ssl-context in Elytron subsystem in application server:

        <tls>
    <key-stores>
      <key-store name="elytronHttpsKS" type="JKS">
        <file path="/PATH/TO/GENERATED/server.keystore.jks"/>
        <credential-reference clear-text="secret"/>
      </key-store>
    </key-stores>
    <key-managers>
      <key-manager name="elytronHttpsKM" key-store="elytronHttpsKS">
        <credential-reference clear-text="secret"/>
      </key-manager>
    </key-managers>
    <server-ssl-contexts>
      <server-ssl-context key-managers="elytronHttpsKM" name="elytronHttpsSSC" protocols="TLSv1.2"/>
    </server-ssl-contexts>
  </tls>

      4) Configure http interface to use Elytron authentication and ssl-context:

      <http-interface security-realm="ManagementRealm" ssl-context="elytronHttpsSSC">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there:

      <ssl>	
  <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store>
  <trust-store-password>secret</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

      6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      It will fail with:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate server keystore and client truststore (generate them with IBM JDK): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer 3) Setup ssl-context in Elytron subsystem in application server: <tls> <key-stores> <key-store name= "elytronHttpsKS" type= "JKS" > <file path= "/PATH/TO/GENERATED/server.keystore.jks" /> <credential-reference clear-text= "secret" /> </key-store> </key-stores> <key-managers> <key-manager name= "elytronHttpsKM" key-store= "elytronHttpsKS" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context key-managers= "elytronHttpsKM" name= "elytronHttpsSSC" protocols= "TLSv1.2" /> </server-ssl-contexts> </tls> 4) Configure http interface to use Elytron authentication and ssl-context: <http- interface security-realm= "ManagementRealm" ssl-context= "elytronHttpsSSC" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there: <ssl> <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store> <trust-store-password>secret</trust-store-password> <modify-trust-store> true </modify-trust-store> </ssl> 6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123 It will fail with: Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https: //localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException 7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      In case SSL through Elytron ssl-context is configured for management interface then JBoss CLI is not able to authenticate when it is run with IBM JDK.

      It works correctly when

      • Legacy SSL is used instead of Elytron ssl-context
      • or non-IBM JDK is used for JBoss CLI
      • or only authentication without SSL is used

      It fails for http-interface as well as native-interface.

      When different client is used for connection to management interface (I tried it with ModelControllerClient) then authentication and SSL works correctly.

      For http-interface following output of CLI is print:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      For native-interface following output of CLI is print:

      Failed to connect to the controller: Unable to negotiate SSL connection with controller at localhost:9999

              jdenise@redhat.com Jean Francois Denise
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: