Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-783

(7.1.z) IPv6 address in security realm using Kerberos

    Details

    • Target Release:
    • Fix Build:
      CR1
    • Steps to Reproduce:
      Hide

      1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports

      2) Generate remote.keytab with principal remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG

      3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e]

      <security-realm name=""TestKerberosRealm"">
      <server-identities>
      <kerberos>
      <keytab principal=""remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/>
      </kerberos>
      </server-identities>
      <authentication>
      <kerberos/>
      </authentication>
      </security-realm>

      4) Use this realm for securing CLI

      <management-interfaces>
      <http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true"">
      <socket-binding http=""management-http""/>
      </http-interface>
      </management-interfaces>

      5) Try CLI
      ./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting://[2620:52:0:2804:56ee:75ff:fe34:630e]:9990

      EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.

      Show
      1) Configure EAP7 to use IPV6. https://docs.jboss.org/author/display/WFLY8/Interfaces+and+ports 2) Generate remote.keytab with principal remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG 3) Configure security realm with IPv6 address [2620:52:0:2804:56ee:75ff:fe34:630e] <security-realm name=""TestKerberosRealm""> <server-identities> <kerberos> <keytab principal=""remote/ [2620:52:0:2804:56ee:75ff:fe34:630e] @JBOSS.ORG"" path=""remote.keytab"" relative-to=""jboss.server.config.dir"" debug=""true""/> </kerberos> </server-identities> <authentication> <kerberos/> </authentication> </security-realm> 4) Use this realm for securing CLI <management-interfaces> <http-interface security-realm=""TestKerberosRealm"" http-upgrade-enabled=""true""> <socket-binding http=""management-http""/> </http-interface> </management-interfaces> 5) Try CLI ./jboss-cli.sh -Djavax.security.auth.useSubjectCredsOnly=false --controller=http-remoting:// [2620:52:0:2804:56ee:75ff:fe34:630e] :9990 EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e.
    • Sprint:
      EAP 7.1.3

      Description

      When kerberos in realm is configured to use IPv6 address with square brackets, eg. [2620:52:0:2804:56ee:75ff:fe34:630e], EAP generates TGS-REQ for remote/2620:52:0:2804:56ee:75ff:fe34:630e instead of remote/[2620:52:0:2804:56ee:75ff:fe34:630e]. It cause failures when remote/[2620:52:0:2804:56ee:75ff:fe34:630e]@JBOSS.ORG is used in keytab.

      This happens when such realm secures CLI or EJB remoting. It doesnt happen when used for securing management console."

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  baranowb Bartosz Baranowski
                  Reporter:
                  mchoma Martin Choma
                  Tester:
                  Daniel Cihak
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: