Loading...

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 15.0.1.Final
Component/s: CLI, Management
Labels:
- Wildfly
- shutdown
- wildfly

Steps to Reproduce:
Hide

1. Create a keystore using the following command:

keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB"

2. Copy the server.keystore to the standalone/configuration directory (e.g., C:\wildfly-15.0.1.Final\standalone\configuration).

3. Update ManagementRealm in standalone-full.xml to reference the keystore:

<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/>
</ssl>
</server-identities>
</security-realm>

4. Replace the HTTP socket binding with an HTTPS binding in management-interfaces:

<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">

<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>

5. Comment out or remove the management-http socket binding:



6. Update the registry to change the stop parameter port:

Open the Registry Editor and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Wildfly\Parameters\Stop

Modify the Params value from:
/c jboss-cli.bat --controller=localhost:9990 --connect --command=:shutdown
to:
/c jboss-cli.bat --controller=localhost:9993 --connect --command=:shutdown

7. Start the WildFly service.

8. Attempt to stop the WildFly service

Observed Behavior:
The service hangs at the "stopping" status. The logs indicate an unrecognized server certificate and display a prompt to accept the certificate:

Unable to connect due to unrecognised server certificate
Subject - CN=test,OU=ou,O=myOrg,L=city,ST=state,C=cc
Issuer - CN=test, OU=ou, O=myOrg, L=city, ST=state, C=cc
Valid From - Thu May 23 13:53:51 IST 2024
Valid To - Wed Aug 21 13:53:51 IST 2024
MD5 : c8:63:bd:a8:ba:8b:f6:f7:a8:87:a2:eb:26:89:b9:94
SHA1 : 9a:cd:cb:08:df:23:39:b7:4a:ed:fa:80:b6:d8:12:77:57:ac:b2:25

Accept certificate? [N]o, [T]emporarily, [P]ermanently :

Expected Behavior:
WildFly should correctly stop without user intervention to accept a certificate.

Environment:

WildFly version: 15.0.1

Operating system: Windows

We are seeking guidance on how to resolve this issue so that the service can stop properly without manual certificate acceptance.
Show
1. Create a keystore using the following command: keytool -genkeypair -alias serverkey -keyalg RSA -keysize 2048 -validity 7360 -keystore server.keystore -keypass mypassword -storepass mypassword -dname "cn=Server Administrator,o=Acme,c=GB" 2. Copy the server.keystore to the standalone/configuration directory (e.g., C:\wildfly-15.0.1.Final\standalone\configuration ). 3. Update ManagementRealm in standalone-full.xml to reference the keystore: <security-realm name="ManagementRealm"> <authentication> <local default-user="$local"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </authorization> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="serverkey"/> </ssl> </server-identities> </security-realm> 4. Replace the HTTP socket binding with an HTTPS binding in management-interfaces : <management-interfaces> <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">  <socket-binding https="management-https"/> </http-interface> </management-interfaces> 5. Comment out or remove the management-http socket binding:  6. Update the registry to change the stop parameter port : Open the Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Wildfly\Parameters\Stop Modify the Params value from: /c jboss-cli.bat --controller=localhost:9990 --connect --command=:shutdown to: /c jboss-cli.bat --controller=localhost:9993 --connect --command=:shutdown 7. Start the WildFly service. 8. Attempt to stop the WildFly service Observed Behavior: The service hangs at the "stopping" status. The logs indicate an unrecognized server certificate and display a prompt to accept the certificate: Unable to connect due to unrecognised server certificate Subject - CN=test,OU=ou,O=myOrg,L=city,ST=state,C=cc Issuer - CN=test, OU=ou, O=myOrg, L=city, ST=state, C=cc Valid From - Thu May 23 13:53:51 IST 2024 Valid To - Wed Aug 21 13:53:51 IST 2024 MD5 : c8:63:bd:a8:ba:8b:f6:f7:a8:87:a2:eb:26:89:b9:94 SHA1 : 9a:cd:cb:08:df:23:39:b7:4a:ed:fa:80:b6:d8:12:77:57:ac:b2:25 Accept certificate? [N] o, [T] emporarily, [P] ermanently : Expected Behavior: WildFly should correctly stop without user intervention to accept a certificate. Environment: WildFly version: 15.0.1 Operating system: Windows We are seeking guidance on how to resolve this issue so that the service can stop properly without manual certificate acceptance.
[QE] How to address?:
---
[QE] Why QE missed?:
---

We are using WildFly version 15.0.1 on a Windows environment and attempting to enhance security by switching the management interface from HTTP to HTTPS. We followed the steps below to configure HTTPS and update the shutdown parameters. However, after making these changes, the WildFly service starts successfully but becomes stuck at the "stopping" status when we attempt to stop it.

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates