Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-897

IPv6 address in security realm using Kerberos

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Optional Optional
    • 3.0.0.Alpha13
    • None
    • Security
    • None
    • Hide

      1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports

      2) Generate remote.keytab with principal remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG

      3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e]

      <security-realm name=""TestKerberosRealm"">
      <server-identities>
      <kerberos>
      <keytab principal=""remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/>
      </kerberos>
      </server-identities>
      <authentication>
      <kerberos/>
      </authentication>
      </security-realm>

      4) Use this realm for securing CLI

      <management-interfaces>
      <http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true"">
      <socket-binding http=""management-http""/>
      </http-interface>
      </management-interfaces>

      5) Try CLI
      ./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting://[2620:52:0:2804:56ee:75ff:fe34:630e]:9990

      EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.

      Show
      1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports 2) Generate remote.keytab with principal remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG 3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e] <security-realm name=""TestKerberosRealm""> <server-identities> <kerberos> <keytab principal=""remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/> </kerberos> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> 4) Use this realm for securing CLI <management-interfaces> <http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true""> <socket-binding http=""management-http""/> </http-interface> </management-interfaces> 5) Try CLI ./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting:// [2620:52:0:2804:56ee:75ff:fe34:630e] :9990 EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.

      When kerberos in realm is configured to use IPv6 address with square brackets, eg. [2620:52:0:2804:56ee:75ff:fe34:630e], EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e instead of remote/[2620:52:0:2804:56ee:75ff:fe34:630e]. It cause failures when remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG is used in keytab.

      This happens when such realm secures CLI or EJB remoting. It doesnt happen when used for securing management console."

            darran.lofthouse@redhat.com Darran Lofthouse
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: