[keycloak-user] Modcluster does connect in SSL to keyclaok

Olivier Rivat orivat at janua.fr
Wed Feb 14 06:13:49 EST 2018 

Hi,

I am trying to setup modcluster in SSL to keycloak connection

the error I obtained is:

11:53:32,916 ERROR [org.jboss.modcluster] (UndertowEventHandlerAdapter - 
1) MODCLUSTER000043: Failed to send INFO command to 
vps383894.ovh.net/79.137.82.56:8180: Unrecognized SSL message, plaintext 
connection?




My proxy_cluster.conf is

MemManagerFile /var/cache/mod_cluster


LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule advertise_module /usr/lib/apache2/modules/mod_advertise.so

LoadModule manager_module /usr/lib/apache2/modules/mod_manager.so

LoadModule proxy_cluster_module 
/usr/lib/apache2/modules/mod_proxy_cluster.so

LoadModule cluster_slotmem_module 
/usr/lib/apache2/modules/mod_cluster_slotmem.so



<IfModule manager_module>

Listen 8180  http


SSLProxyEngine On

SSLProxyVerify require

SSLProxyVerifyDepth 1      # if not using self signed certificates set 
the verify depth appropriately

SSLProxyCACertificateFile  /home/olivier/dev/MyRootCA.pem

SSLProxyMachineCertificateFile /home/olivier/dev/MyClient1.pem

SSLProxyProtocol ALL -SSLv2



<VirtualHost vps383894.ovh.net:8180>


     SSLEngine on


     SSLCertificateFile  /home/olivier/dev/MyClient1.pem

     SSLCertificateKeyFile /home/olivier/dev/certs/MyClient1.key


     <Directory />

     # add ip of JBoss nodes to join this proxy here

     #Require ip vps383894.ovh.net

     #Require all granted

     Allow from all

     Order deny,allow

     Allow from all


     </Directory>

     ServerAdvertise on

     EnableMCPMReceive

     <Location /mod_cluster_manager>

     SetHandler mod_cluster-manager

     # add ip of clients allowed to access mod_cluster-manager

     #Require ip vps383894.ovh.net

     #Require all granted

     Allow from all

     Order deny,allow

     LogLevel message

</Location>

</VirtualHost>

</IfModule>


The standalone-ha.xml contains the following modif:

<subsystem xmlns="urn:jboss:domain:modcluster:3.0">
             <mod-cluster-config advertise-socket="modcluster" 
proxies="proxy1" connector="https">
               <dynamic-load-provider>
                   <load-metric type="busyness"/>
               </dynamic-load-provider>
                 <ssl key-alias="Myclient1" password="secret"
certificate-key-file="/home/olivier/dev/keycloak/keycloak-3.4.3.Final/standalone/configuration/keystore.jks" 

ca-certificate-file="/home/olivier/dev/keycloak/keycloak-3.4.3.Final/standalone/configuration/truststore.jks"/>
              </mod-cluster-config>
         </subsystem>

and

  <socket-binding-group name="standard-sockets" 
default-interface="public" 
port-offset="${jboss.socket.binding.port-offset:0}">

         <socket-binding name="management-http" interface="management" 
port="${jboss.management.http.port:9990}"/>

         <socket-binding name="management-https" interface="management" 
port="${jboss.management.https.port:9993}"/>

         <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>

         <socket-binding name="http" port="${jboss.http.port:8080}"/>

         <socket-binding name="https" port="${jboss.https.port:8443}"/>

         <socket-binding name="jgroups-mping" interface="private" 
port="0" 
multicast-address="${jboss.default.multicast.address:230.0.0.4}" 
multicast-port="45700"/>

         <socket-binding name="jgroups-tcp" interface="private" 
port="7600"/>

         <socket-binding name="jgroups-udp" interface="private" 
port="55200" 
multicast-address="${jboss.default.multicast.address:230.0.0.4}" 
multicast-port="45688"/>

         <socket-binding name="modcluster" port="0" 
multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" 
multicast-port="23364"/>

         <socket-binding name="txn-recovery-environment" port="4712"/>

         <socket-binding name="txn-status-manager" port="4713"/>

         <outbound-socket-binding name="mail-smtp">

             <remote-destination host="localhost" port="25"/>

         </outbound-socket-binding>


         <outbound-socket-binding name="proxy1">

            <remote-destination host="79.137.82.56" port="8180"/>

         </outbound-socket-binding>

     </socket-binding-group>


Keycloaks is lauched as follows:

/standalone.sh -c standalone-ha.xml 
-Djboss.socket.binding.port-offset=300 -Djboss.node.name=node1 
-Djboss.bind.address=vps383894.ovh.net


MyRootCA and MyClientt1 are part of the keystores.jks

What coudl be wrong with my settings ?



Regards,

Olivier





-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>

More information about the keycloak-user mailing list