Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2832

JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta24
    • None
    • CLI, Security
    • None
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'
      

      2) generate server keystore and client truststore (generate them with IBM JDK):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
      keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
      keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
      

      3) Setup ssl-context in Elytron subsystem in application server:

        <tls>
          <key-stores>
            <key-store name="elytronHttpsKS" type="JKS">
              <file path="/PATH/TO/GENERATED/server.keystore.jks"/>
              <credential-reference clear-text="secret"/>
            </key-store>
          </key-stores>
          <key-managers>
            <key-manager name="elytronHttpsKM" key-store="elytronHttpsKS">
              <credential-reference clear-text="secret"/>
            </key-manager>
          </key-managers>
          <server-ssl-contexts>
            <server-ssl-context key-managers="elytronHttpsKM" name="elytronHttpsSSC" protocols="TLSv1.2"/>
          </server-ssl-contexts>
        </tls>
      

      4) Configure http interface to use Elytron authentication and ssl-context:

      <http-interface security-realm="ManagementRealm" ssl-context="elytronHttpsSSC">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http" https="management-https"/>
      </http-interface>
      

      5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there:

      <ssl>	
        <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store>
        <trust-store-password>secret</trust-store-password>
        <modify-trust-store>true</modify-trust-store>
      </ssl> 
      

      6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      

      It will fail with:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException
      

      7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      
      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate server keystore and client truststore (generate them with IBM JDK): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer 3) Setup ssl-context in Elytron subsystem in application server: <tls> <key-stores> <key-store name= "elytronHttpsKS" type= "JKS" > <file path= "/PATH/TO/GENERATED/server.keystore.jks" /> <credential-reference clear-text= "secret" /> </key-store> </key-stores> <key-managers> <key-manager name= "elytronHttpsKM" key-store= "elytronHttpsKS" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context key-managers= "elytronHttpsKM" name= "elytronHttpsSSC" protocols= "TLSv1.2" /> </server-ssl-contexts> </tls> 4) Configure http interface to use Elytron authentication and ssl-context: <http- interface security-realm= "ManagementRealm" ssl-context= "elytronHttpsSSC" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there: <ssl> <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store> <trust-store-password>secret</trust-store-password> <modify-trust-store> true </modify-trust-store> </ssl> 6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123 It will fail with: Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https: //localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException 7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      In case SSL through Elytron ssl-context is configured for management interface then JBoss CLI is not able to authenticate when it is run with IBM JDK.

      It works correctly when

      • Legacy SSL is used instead of Elytron ssl-context
      • or non-IBM JDK is used for JBoss CLI
      • or only authentication without SSL is used

      It fails for http-interface as well as native-interface.

      When different client is used for connection to management interface (I tried it with ModelControllerClient) then authentication and SSL works correctly.

      For http-interface following output of CLI is print:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException
      

      For native-interface following output of CLI is print:

      Failed to connect to the controller: Unable to negotiate SSL connection with controller at localhost:9999
      

              jdenise@redhat.com Jean Francois Denise
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: