Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10982

JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.ER1
    • 7.1.0.DR18
    • CLI, Security
    • Documentation (Ref Guide, User Guide, etc.), Release Notes
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'

      2) generate server keystore and client truststore (generate them with IBM JDK):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

      3) Setup ssl-context in Elytron subsystem in application server:

        <tls>
    <key-stores>
      <key-store name="elytronHttpsKS" type="JKS">
        <file path="/PATH/TO/GENERATED/server.keystore.jks"/>
        <credential-reference clear-text="secret"/>
      </key-store>
    </key-stores>
    <key-managers>
      <key-manager name="elytronHttpsKM" key-store="elytronHttpsKS">
        <credential-reference clear-text="secret"/>
      </key-manager>
    </key-managers>
    <server-ssl-contexts>
      <server-ssl-context key-managers="elytronHttpsKM" name="elytronHttpsSSC" protocols="TLSv1.2"/>
    </server-ssl-contexts>
  </tls>

      4) Configure http interface to use Elytron authentication and ssl-context:

      <http-interface security-realm="ManagementRealm" ssl-context="elytronHttpsSSC">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there:

      <ssl>	
  <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store>
  <trust-store-password>secret</trust-store-password>
  <modify-trust-store>true</modify-trust-store>
</ssl>

      6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

      It will fail with:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass:

      ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123
      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate server keystore and client truststore (generate them with IBM JDK): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer 3) Setup ssl-context in Elytron subsystem in application server: <tls> <key-stores> <key-store name= "elytronHttpsKS" type= "JKS" > <file path= "/PATH/TO/GENERATED/server.keystore.jks" /> <credential-reference clear-text= "secret" /> </key-store> </key-stores> <key-managers> <key-manager name= "elytronHttpsKM" key-store= "elytronHttpsKS" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context key-managers= "elytronHttpsKM" name= "elytronHttpsSSC" protocols= "TLSv1.2" /> </server-ssl-contexts> </tls> 4) Configure http interface to use Elytron authentication and ssl-context: <http- interface security-realm= "ManagementRealm" ssl-context= "elytronHttpsSSC" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) Configure jboss-cli.xml to use port 9993, change protocol to remote+https and also configured ssl there: <ssl> <trust-store>/PATH/TO/GENERATED/client.truststore.jks</trust-store> <trust-store-password>secret</trust-store-password> <modify-trust-store> true </modify-trust-store> </ssl> 6) start application server with IBM JDK and try to authenticate to JBoss CLI with IBM JDK: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123 It will fail with: Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https: //localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException 7) try to authenticate to JBoss CLI with Open JDK or Oracle JDK, it will pass: ./jboss-cli.sh -c --no-local-auth -u=admin -p=pass@123

    Description

      In case SSL through Elytron ssl-context is configured for management interface then JBoss CLI is not able to authenticate when it is run with IBM JDK.

      It works correctly when

      • Legacy SSL is used instead of Elytron ssl-context
      • or non-IBM JDK is used for JBoss CLI
      • or only authentication without SSL is used

      It fails for http-interface as well as native-interface.

      When different client is used for connection to management interface (I tried it with ModelControllerClient) then authentication and SSL works correctly.

      For http-interface following output of CLI is print:

      Failed to connect to the controller: The controller is not available at localhost:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://localhost:9993. The connection failed: java.nio.channels.ClosedChannelException

      For native-interface following output of CLI is print:

      Failed to connect to the controller: Unable to negotiate SSL connection with controller at localhost:9999

      This issues is reported in EAP 7.1.0.DR18 because previous versions have not been able to start application server with IBM JDK. We request blocker since IBM JDK is supported and missing ability to connect to application server with secured connection blocks RFE EAP7-628.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2832 JBoss CLI run with IBM JDK is not able to use secure connection when server uses Elytron ssl-context

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11137 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta26

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11114 Documentation: describe -Dcom.ibm.jsse2.overrideDefaultTLS CLI parameter

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11765 JMS client fails to connect with SSL on IBM JDK 8

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              jdenise@redhat.com Jean Francois Denise
              olukas Ondrej Lukas (Inactive)
              Martin Svehla Martin Svehla
              Martin Svehla Martin Svehla
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: