Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5088

User is able to specify credential-reference with only store name

XMLWordPrintable

    • Hide
      1. unzip server and start it: ./bin/standalone.sh &
      2. connect to servers CLI: ./bin/jboss-cli.sh -c
      3. create an empty credential store 
        /subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
      4. now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified 
        /subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
      5. same thing as before but in separate steps 
        /subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
      6. all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
      7. let's now try 'key-store' resource 
        /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
      8. this command fails which is correct
      9. now let's try in separate steps 
        /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
      10. first command passes successfully (that is correct), second command passes successfully too even though it should fail
      11. now after the 'reload' operation we can see following error in server.log: 
        23:28:35,534 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
    Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
      Show
      unzip server and start it: ./bin/standalone.sh & connect to servers CLI: ./bin/jboss-cli.sh -c create an empty credential store /subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create= true ) now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified /subsystem=mail/mail-session= default /server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore}) same thing as before but in separate steps /subsystem=mail/mail-session= default /server=imap:remove() /subsystem=mail/mail-session= default /server=imap:add(outbound-socket-binding-ref=mail-smtp) /subsystem=mail/mail-session= default /server=imap:write-attribute(name=credential-reference,value={store=mycredstore}) all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute let's now try 'key-store' resource /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore}) this command fails which is correct now let's try in separate steps /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword}) /subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore}) first command passes successfully (that is correct), second command passes successfully too even though it should fail now after the 'reload' operation we can see following error in server.log: 23:28:35,534 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread ) WFLYCTL0013: Operation ( "add" ) failed - address: ([ ( "subsystem" => "elytron" ), ( "key-store" => "exampleKS" ) ]) - failure description: { "WFLYCTL0080: Failed services" => { "org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service. Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore' "}}
    • User Experience

      It is possible to create a credential-reference to the credential store just with the name of credential store in question - without specifying alias (or clear-text in case of automatic addition of new record into the credential store, see doc 16.4.2. Automatic Updates of Credential Stores). Actual configuration error is revealed when server is reloaded with following error message in server log (note that I can see this error in case of 'key-store' example but not in case of 'imap' example - see Reproduction steps for this issue):

      22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
    Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}

      This misconfiguration is not possible to do in Wildfly 19.1.0.Final as you are requested to specify alias attribute too.

      I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).

      Correct behavior is to require credential store name and:

      1. 'alias'
      2. or 'alias' and 'clear-text'
      3. or 'clear-text' (alias will be generated automatically in this case)

      as described in the referenced documentation.

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: