Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5064

Incorrect use of KeyManagerFactory.getDefaultAlgorithm instead of TrustManagerFactory

XMLWordPrintable

    • Hide
      • Create a certificate for the server and copy default trust-store in the conf directory:
      cd ${JBOSS_HOME}/bin
      keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1
      cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts
      
      • Configure an old certificate realm and configure it in the https listener:
      /core-service=management/security-realm=CertificateRealm:add()
      /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="localhost", keystore-relative-to=jboss.server.config.dir, keystore-path="keystore.jks", keystore-password=secret)
      /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path="cacerts", keystore-password=changeit)
      batch 
      /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=ssl-context)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value="CertificateRealm")
      run-batch
      
      • Using openjdk create a properties issue.policy file that overrides default factories:
      ssl.KeyManagerFactory.algorithm=NewSunX509
      ssl.TrustManagerFactory.algorithm=SunPKIX
      
      • Modify standalone.conf to add that security file as override:
      JAVA_OPTS="$JAVA_OPTS -Djava.security.properties=issue.policy"
      
      • Start the server and see the error:
      ./standalone.sh
      ...
      11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service
      	at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available
      	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
      	at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139)
      	at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111)
      	... 8 more
      
      Show
      Create a certificate for the server and copy default trust-store in the conf directory: cd ${JBOSS_HOME}/bin keytool -genkeypair -alias localhost -keyalg RSA -keysize 2048 -validity 365 -keystore ../standalone/configuration/keystore.jks -dname "CN=localhost" -storepass secret -ext san=dns:localhost,ip:127.0.0.1 cp ${JAVA_HOME}/jre/lib/security/cacerts ../standalone/configuration/cacerts Configure an old certificate realm and configure it in the https listener: /core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias= "localhost" , keystore-relative-to=jboss.server.config.dir, keystore-path= "keystore.jks" , keystore-password=secret) /core-service=management/security-realm=CertificateRealm/authentication=truststore:add(keystore-relative-to=jboss.server.config.dir, keystore-path= "cacerts" , keystore-password=changeit) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=ssl-context) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm, value= "CertificateRealm" ) run-batch Using openjdk create a properties issue.policy file that overrides default factories: ssl.KeyManagerFactory.algorithm=NewSunX509 ssl.TrustManagerFactory.algorithm=SunPKIX Modify standalone.conf to add that security file as override: JAVA_OPTS= "$JAVA_OPTS -Djava.security.properties=issue.policy" Start the server and see the error: ./standalone.sh ... 11:29:38,429 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.trust-manager: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:113) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363) at java.lang. Thread .run( Thread .java:748) Caused by: java.security.NoSuchAlgorithmException: NewSunX509 TrustManagerFactory not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.TrustManagerFactory.getInstance(TrustManagerFactory.java:139) at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:111) ... 8 more
    • Workaround Exists
    • Hide

      Use the new elytron configuration for the ssl.

      Show
      Use the new elytron configuration for the ssl.

      When configuring https using the old security-realm the trust-manager factory is selected using the line:

                  trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
      

      Which is incorrect and should use the TrustManagerFactory. Therefore by default in openjdk we are using the SunX509 factory instead of the default PKIX implementation. The default values for both factories are defined in the java.security file from the jdk:

      #
      # Determines the default key and trust manager factory algorithms for
      # the javax.net.ssl package.
      #
      ssl.KeyManagerFactory.algorithm=SunX509
      ssl.TrustManagerFactory.algorithm=PKIX
      

      Using a exotic configuration can lead to an error if the KeyManagerFactory is configured to an algorithm that is not valid for the TrustManagerFactory (NewSunX509 for example).

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: