Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5088

User is able to specify credential-reference with only store name

XMLWordPrintable

    • Hide
      1. unzip server and start it: ./bin/standalone.sh &
      2. connect to servers CLI: ./bin/jboss-cli.sh -c
      3. create an empty credential store 
        /subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
      4. now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified 
        /subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
      5. same thing as before but in separate steps 
        /subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
      6. all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
      7. let's now try 'key-store' resource 
        /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
      8. this command fails which is correct
      9. now let's try in separate steps 
        /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
      10. first command passes successfully (that is correct), second command passes successfully too even though it should fail
      11. now after the 'reload' operation we can see following error in server.log: 
        23:28:35,534 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
    Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
      Show
      unzip server and start it: ./bin/standalone.sh & connect to servers CLI: ./bin/jboss-cli.sh -c create an empty credential store /subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create= true ) now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified /subsystem=mail/mail-session= default /server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore}) same thing as before but in separate steps /subsystem=mail/mail-session= default /server=imap:remove() /subsystem=mail/mail-session= default /server=imap:add(outbound-socket-binding-ref=mail-smtp) /subsystem=mail/mail-session= default /server=imap:write-attribute(name=credential-reference,value={store=mycredstore}) all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute let's now try 'key-store' resource /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore}) this command fails which is correct now let's try in separate steps /subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword}) /subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore}) first command passes successfully (that is correct), second command passes successfully too even though it should fail now after the 'reload' operation we can see following error in server.log: 23:28:35,534 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread ) WFLYCTL0013: Operation ( "add" ) failed - address: ([ ( "subsystem" => "elytron" ), ( "key-store" => "exampleKS" ) ]) - failure description: { "WFLYCTL0080: Failed services" => { "org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service. Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore' "}}
    • User Experience

      It is possible to create a credential-reference to the credential store just with the name of credential store in question - without specifying alias (or clear-text in case of automatic addition of new record into the credential store, see doc 16.4.2. Automatic Updates of Credential Stores). Actual configuration error is revealed when server is reloaded with following error message in server log (note that I can see this error in case of 'key-store' example but not in case of 'imap' example - see Reproduction steps for this issue):

      22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
    Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}

      This misconfiguration is not possible to do in Wildfly 19.1.0.Final as you are requested to specify alias attribute too.

      I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).

      Correct behavior is to require credential store name and:

      1. 'alias'
      2. or 'alias' and 'clear-text'
      3. or 'clear-text' (alias will be generated automatically in this case)

      as described in the referenced documentation.

            [WFCORE-5088] User is able to specify credential-reference with only store name

            Jan Stourac added a comment -

            fjuma1@redhat.com, thank you for the fix! I've tried your changes and I can confirm that the issue is fixed now. I've also put some comments on the MR itself.

            Jan Stourac added a comment - fjuma1@redhat.com , thank you for the fix! I've tried your changes and I can confirm that the issue is fixed now. I've also put some comments on the MR itself.

            Farah Juma added a comment -

            rhn-support-dlofthouse Sure, will take a look at this one.

            Farah Juma added a comment - rhn-support-dlofthouse Sure, will take a look at this one.

            Darran Lofthouse added a comment -

            fjuma1@redhat.com did you want to take a look at this one? It does sound related to the automatic updates.

            Darran Lofthouse added a comment - fjuma1@redhat.com did you want to take a look at this one? It does sound related to the automatic updates.

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: