[JBoss JIRA] (WFLY-7091) Not able to configure list of key/trust managers on elytron ssl context.
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-7091?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-7091:
-------------------------------
Description:
Base on xsd/model documentation key-managers and trust-managers attributes seems to be meant to hold list of managers. That also comply to SSLContext init() method [1]. Hovewer, in elytron subsystem, they are of type string and any my tries to set list (space/comma delimited list) failed.
XSD documentation
* key-managers - Reference to the KeyManagers to be used by this SSLContext.
* trust-managers - Reference to the TrustManagers to be used by this SSLContext.
Model description:
{noformat}
"key-managers" => {
"type" => STRING,
"description" => "Reference to the key managers to use within the SSLContext.",
"expressions-allowed" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.key-managers",
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
"trust-managers" => {
"type" => STRING,
"description" => "Reference to the trust managers to use within the SSLContext.",
"expressions-allowed" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.trust-managers",
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
{noformat}
[1] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#i...
was:
key-managers and trust-managers attributes seems to be meant to hold list of managers. That also comply to SSLContext init() method [1]. Hovewer, in elytron subsystem, they are of type string and any my tries to set list (space/comma delimited list) failed.
XSD documentation
* key-managers - Reference to the KeyManagers to be used by this SSLContext.
* trust-managers - Reference to the TrustManagers to be used by this SSLContext.
Model description:
{noformat}
"key-managers" => {
"type" => STRING,
"description" => "Reference to the key managers to use within the SSLContext.",
"expressions-allowed" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.key-managers",
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
"trust-managers" => {
"type" => STRING,
"description" => "Reference to the trust managers to use within the SSLContext.",
"expressions-allowed" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.trust-managers",
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
{noformat}
[1] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#i...
> Not able to configure list of key/trust managers on elytron ssl context.
> ------------------------------------------------------------------------
>
> Key: WFLY-7091
> URL: https://issues.jboss.org/browse/WFLY-7091
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> Base on xsd/model documentation key-managers and trust-managers attributes seems to be meant to hold list of managers. That also comply to SSLContext init() method [1]. Hovewer, in elytron subsystem, they are of type string and any my tries to set list (space/comma delimited list) failed.
> XSD documentation
> * key-managers - Reference to the KeyManagers to be used by this SSLContext.
> * trust-managers - Reference to the TrustManagers to be used by this SSLContext.
> Model description:
> {noformat}
> "key-managers" => {
> "type" => STRING,
> "description" => "Reference to the key managers to use within the SSLContext.",
> "expressions-allowed" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.key-managers",
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> "trust-managers" => {
> "type" => STRING,
> "description" => "Reference to the trust managers to use within the SSLContext.",
> "expressions-allowed" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.trust-managers",
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> {noformat}
> [1] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#i...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFLY-7091) Not able to configure list of key/trust managers on elytron ssl context.
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-7091?page=com.atlassian.jira.plugin.... ]
Martin Choma moved JBEAP-5951 to WFLY-7091:
-------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-7091 (was: JBEAP-5951)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR4)
> Not able to configure list of key/trust managers on elytron ssl context.
> ------------------------------------------------------------------------
>
> Key: WFLY-7091
> URL: https://issues.jboss.org/browse/WFLY-7091
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> key-managers and trust-managers attributes seems to be meant to hold list of managers. That also comply to SSLContext init() method [1]. Hovewer, in elytron subsystem, they are of type string and any my tries to set list (space/comma delimited list) failed.
> XSD documentation
> * key-managers - Reference to the KeyManagers to be used by this SSLContext.
> * trust-managers - Reference to the TrustManagers to be used by this SSLContext.
> Model description:
> {noformat}
> "key-managers" => {
> "type" => STRING,
> "description" => "Reference to the key managers to use within the SSLContext.",
> "expressions-allowed" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.key-managers",
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> "trust-managers" => {
> "type" => STRING,
> "description" => "Reference to the trust managers to use within the SSLContext.",
> "expressions-allowed" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.trust-managers",
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> {noformat}
> [1] https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#i...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFLY-5550) Formalize web session clustering modules into a proper subsystem
by Paul Ferraro (JIRA)
[ https://issues.jboss.org/browse/WFLY-5550?page=com.atlassian.jira.plugin.... ]
Paul Ferraro updated WFLY-5550:
-------------------------------
Description:
Currently, the coupling between the undertow subsystem and the modules required for distributed web session manager and single sign-on manager support is very loose.
Consequently, misconfiguration (e.g. a missing "web" cache-container) can prevent deployment from succeeding without an adequate explanation.
The subsystem would define the requisite cache-container, exposed as a capability.
This subsystem would exposes a number of profiles, containing the configuration traditionally specified in jboss-web.xml, as well as the cache configuration to use (specified by cache-container + cache name). jboss-web.xml would only need to reference a profile by name, or, if unspecified, use the default profile.
was:
Currently, the coupling between the undertow subsystem and the modules required for distributed web session manager and single sign-on manager support is very loose.
Consequently, misconfiguration (e.g. a missing "web" cache-container) can prevent deployment from succeeding without an adequate explanation.
The subsystem would define the requisite cache-container, exposed as a capability.
> Formalize web session clustering modules into a proper subsystem
> ----------------------------------------------------------------
>
> Key: WFLY-5550
> URL: https://issues.jboss.org/browse/WFLY-5550
> Project: WildFly
> Issue Type: Enhancement
> Components: Clustering
> Affects Versions: 10.0.0.CR3
> Reporter: Paul Ferraro
> Assignee: Paul Ferraro
> Fix For: 11.0.0.Alpha1
>
>
> Currently, the coupling between the undertow subsystem and the modules required for distributed web session manager and single sign-on manager support is very loose.
> Consequently, misconfiguration (e.g. a missing "web" cache-container) can prevent deployment from succeeding without an adequate explanation.
> The subsystem would define the requisite cache-container, exposed as a capability.
> This subsystem would exposes a number of profiles, containing the configuration traditionally specified in jboss-web.xml, as well as the cache configuration to use (specified by cache-container + cache name). jboss-web.xml would only need to reference a profile by name, or, if unspecified, use the default profile.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFCORE-1781) DomainModelControllerService is installing the management request handlers for DC-related requests for slaves using cached-dc
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-1781?page=com.atlassian.jira.plugi... ]
Brian Stansberry updated WFCORE-1781:
-------------------------------------
Description:
The DomainModelControllerService code block that parses a local domain.xml is also installing the service the allows the management interface to accept requests that uses the request headers meant for the master side slave->master intra-domain communications. This service should not be added in the slave using cached-dc case, but it is now.
It also shouldn't be added if the DC is running admin-only.
OTOH in all cases where it is not added, a different service should be added that will reject any slave registration requests that come in with the correct error codes that the slave knows how to parse. Currently that rejection is only happening for admin-only masters or slaves that are using cached-dc, which is not correct.
was:The DomainModelControllerService code block that parses a local domain.xml is also installing the service the allows the management interface to accept requests that uses the request headers meant for the master side slave->master intra-domain communications. This service should not be added in the slave using cached-dc case, but it is now.
> DomainModelControllerService is installing the management request handlers for DC-related requests for slaves using cached-dc
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-1781
> URL: https://issues.jboss.org/browse/WFCORE-1781
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Reporter: Brian Stansberry
> Assignee: Brian Stansberry
>
> The DomainModelControllerService code block that parses a local domain.xml is also installing the service the allows the management interface to accept requests that uses the request headers meant for the master side slave->master intra-domain communications. This service should not be added in the slave using cached-dc case, but it is now.
> It also shouldn't be added if the DC is running admin-only.
> OTOH in all cases where it is not added, a different service should be added that will reject any slave registration requests that come in with the correct error codes that the slave knows how to parse. Currently that rejection is only happening for admin-only masters or slaves that are using cached-dc, which is not correct.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFCORE-1781) DomainModelControllerService is installing the management request handlers for DC-related requests for slaves using cached-dc
by Brian Stansberry (JIRA)
Brian Stansberry created WFCORE-1781:
----------------------------------------
Summary: DomainModelControllerService is installing the management request handlers for DC-related requests for slaves using cached-dc
Key: WFCORE-1781
URL: https://issues.jboss.org/browse/WFCORE-1781
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Brian Stansberry
Assignee: Brian Stansberry
The DomainModelControllerService code block that parses a local domain.xml is also installing the service the allows the management interface to accept requests that uses the request headers meant for the master side slave->master intra-domain communications. This service should not be added in the slave using cached-dc case, but it is now.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFLY-7073) elytron key/trust-managers incosistency between dmr and xsd
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/WFLY-7073?page=com.atlassian.jira.plugin.... ]
Jan Kalina edited comment on WFLY-7073 at 9/10/16 1:29 PM:
-----------------------------------------------------------
Summary: add PROVIDER attribute into managers (like in key-stores already is)
* mangers XML attribute "provider" will have to be renamed to "provider-loader"
was (Author: honza889):
Summary: add PROVIDER attribute into managers (like in key-stores already is)
* mangers XML attribute PROVIDER will have to be renamed to PROVIDER_LOADER
> elytron key/trust-managers incosistency between dmr and xsd
> -----------------------------------------------------------
>
> Key: WFLY-7073
> URL: https://issues.jboss.org/browse/WFLY-7073
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Jan Kalina
>
> For key/trust-managers in dmr model, there is "provider-loader" attribute [1], however xsd defines provider attribute [2] for key/trust-managers.
> Probably if user could define both provider and provider-loader, that would be the best.
> [1]
> {noformat}
> [standalone@localhost:9990 /] /subsystem=elytron/key-managers=server2:add(
> algorithm key-store password provider-loader
> {noformat}
> [2]
> https://github.com/wildfly-security/elytron-subsystem/blob/master/src/mai...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months
[JBoss JIRA] (WFLY-7073) elytron key/trust-managers incosistency between dmr and xsd
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/WFLY-7073?page=com.atlassian.jira.plugin.... ]
Jan Kalina edited comment on WFLY-7073 at 9/10/16 1:28 PM:
-----------------------------------------------------------
Summary: add PROVIDER attribute into managers (like in key-stores already is)
* mangers XML attribute PROVIDER will have to be renamed to PROVIDER_LOADER
was (Author: honza889):
Summary: add PROVIDER attribute into managers (like in key-stores already is)
> elytron key/trust-managers incosistency between dmr and xsd
> -----------------------------------------------------------
>
> Key: WFLY-7073
> URL: https://issues.jboss.org/browse/WFLY-7073
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Jan Kalina
>
> For key/trust-managers in dmr model, there is "provider-loader" attribute [1], however xsd defines provider attribute [2] for key/trust-managers.
> Probably if user could define both provider and provider-loader, that would be the best.
> [1]
> {noformat}
> [standalone@localhost:9990 /] /subsystem=elytron/key-managers=server2:add(
> algorithm key-store password provider-loader
> {noformat}
> [2]
> https://github.com/wildfly-security/elytron-subsystem/blob/master/src/mai...
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
9 years, 10 months