January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0

by Bela Ban (JIRA)

[ https://issues.jboss.org/browse/JGRP-2152?page=com.atlassian.jira.plugin.... ] Bela Ban updated JGRP-2152: --------------------------- Fix Version/s: 4.0 3.6.13 > ASYM_ENCRYPT failure on Wildfly 10.1.0 > -------------------------------------- > > Key: JGRP-2152 > URL: https://issues.jboss.org/browse/JGRP-2152 > Project: JGroups > Issue Type: Bug > Affects Versions: 3.6.10 > Reporter: Matt Wringe > Assignee: Bela Ban > Fix For: 4.0, 3.6.13 > > Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log > > > Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken. > I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security > Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing. > Note: running this on EAP fails in a similar manner. > Eg: > <protocol type="ASYM_ENCRYPT"> > <property name="encrypt_entire_message">true</property> > <property name="sym_keylength">128</property> > <property name="sym_algorithm">AES/ECB/PKCS5Padding</property> > <property name="asym_keylength">512</property> > <property name="asym_algorithm">RSA</property> > </protocol> > If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0

by Matt Wringe (JIRA)

Matt Wringe created JGRP-2152: --------------------------------- Summary: ASYM_ENCRYPT failure on Wildfly 10.1.0 Key: JGRP-2152 URL: https://issues.jboss.org/browse/JGRP-2152 Project: JGroups Issue Type: Bug Affects Versions: 3.6.10 Reporter: Matt Wringe Assignee: Bela Ban Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken. I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing. Note: running this on EAP fails in a similar manner. Eg: <protocol type="ASYM_ENCRYPT"> <property name="encrypt_entire_message">true</property> <property name="sym_keylength">128</property> <property name="sym_algorithm">AES/ECB/PKCS5Padding</property> <property name="asym_keylength">512</property> <property name="asym_algorithm">RSA</property> </protocol> If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0

by Matt Wringe (JIRA)

[ https://issues.jboss.org/browse/JGRP-2152?page=com.atlassian.jira.plugin.... ] Matt Wringe updated JGRP-2152: ------------------------------ Attachment: hawkular-metrics-1.log hawkular-metrics-2.log > ASYM_ENCRYPT failure on Wildfly 10.1.0 > -------------------------------------- > > Key: JGRP-2152 > URL: https://issues.jboss.org/browse/JGRP-2152 > Project: JGroups > Issue Type: Bug > Affects Versions: 3.6.10 > Reporter: Matt Wringe > Assignee: Bela Ban > Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log > > > Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken. > I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security > Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing. > Note: running this on EAP fails in a similar manner. > Eg: > <protocol type="ASYM_ENCRYPT"> > <property name="encrypt_entire_message">true</property> > <property name="sym_keylength">128</property> > <property name="sym_algorithm">AES/ECB/PKCS5Padding</property> > <property name="asym_keylength">512</property> > <property name="asym_algorithm">RSA</property> > </protocol> > If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7583) Salted password cannot be set through CLI for Elytron filesystem-realm identity

by Brian Stansberry (JIRA)

[ https://issues.jboss.org/browse/WFLY-7583?page=com.atlassian.jira.plugin.... ] Brian Stansberry commented on WFLY-7583: ---------------------------------------- Does quoting work? /subsystem=elytron/filesystem-realm=fsrealm/identity=admin:set-password(bcrypt={iteration-count=42,password=passwrod1,salt="bytes{0x31,0x32,0x33}"}) > Salted password cannot be set through CLI for Elytron filesystem-realm identity > ------------------------------------------------------------------------------- > > Key: WFLY-7583 > URL: https://issues.jboss.org/browse/WFLY-7583 > Project: WildFly > Issue Type: Bug > Components: CLI, Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Michal Petrov > > Password encryption/hash mechanisms which contain {{salt}} attribute for filesystem-realm identity cannot be added through CLI. {{set-password}} operation fails and finishes with failure-description "WFLYCTL0155: password may not be null" even if password was set. It seems when {{salt}} attribute with {{bytes}} value is used then {{password}} attribute is ignored by CLI. > Following password encryption/hash mechanisms from filesystem-realm identity are affected by issue: > - {{bcrypt}} > - {{salted-simple-digest}} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7583) Salted password cannot be set through CLI for Elytron filesystem-realm identity

by Brian Stansberry (JIRA)

[ https://issues.jboss.org/browse/WFLY-7583?page=com.atlassian.jira.plugin.... ] Brian Stansberry edited comment on WFLY-7583 at 1/11/17 2:56 PM: ----------------------------------------------------------------- Does quoting work? {code} /subsystem=elytron/filesystem-realm=fsrealm/identity=admin:set-password(bcrypt={iteration-count=42,password=passwrod1,salt="bytes{0x31,0x32,0x33}"}) {code} was (Author: brian.stansberry): Does quoting work? /subsystem=elytron/filesystem-realm=fsrealm/identity=admin:set-password(bcrypt={iteration-count=42,password=passwrod1,salt="bytes{0x31,0x32,0x33}"}) > Salted password cannot be set through CLI for Elytron filesystem-realm identity > ------------------------------------------------------------------------------- > > Key: WFLY-7583 > URL: https://issues.jboss.org/browse/WFLY-7583 > Project: WildFly > Issue Type: Bug > Components: CLI, Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Michal Petrov > > Password encryption/hash mechanisms which contain {{salt}} attribute for filesystem-realm identity cannot be added through CLI. {{set-password}} operation fails and finishes with failure-description "WFLYCTL0155: password may not be null" even if password was set. It seems when {{salt}} attribute with {{bytes}} value is used then {{password}} attribute is ignored by CLI. > Following password encryption/hash mechanisms from filesystem-realm identity are affected by issue: > - {{bcrypt}} > - {{salted-simple-digest}} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-431) CLI should WARN about usage deprecated api

by Brian Stansberry (JIRA)

[ https://issues.jboss.org/browse/WFCORE-431?page=com.atlassian.jira.plugin... ] Brian Stansberry commented on WFCORE-431: ----------------------------------------- There has been recent discussion on wildfly-dev re sending warnings via an operation response header. > CLI should WARN about usage deprecated api > ------------------------------------------ > > Key: WFCORE-431 > URL: https://issues.jboss.org/browse/WFCORE-431 > Project: WildFly Core > Issue Type: Feature Request > Components: CLI > Reporter: Tomaz Cerar > Assignee: Jean-Francois Denise > > We added support for deprecating resources/attributes/operations/parameters some time ago. > I would be a good thing that we would warn users if they are using deprecated API. > Every resource/attribute/operation/param that is deprecated has extra element "deprecated" in metadata > With sub elements > - "since", which tells in what version it was deprecated > - "reason", text description why it is deprecated. > Reason in most cases also tells what is new replacement. > This should be only displayed in case of interactive shell usage. > Unless there is also some special CLI log file, it could be part of that even for non-interactive usage -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELY-760) Elytron Ldap Realm searches roles before validating password

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-760?page=com.atlassian.jira.plugin.sy... ] Jan Kalina reassigned ELY-760: ------------------------------ Assignee: Jan Kalina (was: Darran Lofthouse) > Elytron Ldap Realm searches roles before validating password > ------------------------------------------------------------ > > Key: ELY-760 > URL: https://issues.jboss.org/browse/ELY-760 > Project: WildFly Elytron > Issue Type: Bug > Components: Realms > Affects Versions: 1.1.0.Beta13 > Reporter: Ondrej Lukas > Assignee: Jan Kalina > Priority: Critical > > In Ldap Realm roles are searched before actual user password is validated. Ldap Realm uses following flow: > # searching for username > # searching for roles (i.e. searching for attributes) > # validating password for username > It means even if wrong password is used then roles in LDAP are searched. Password should be validated before some roles are searched. Current behavior can result to performance issues. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELY-760) Elytron Ldap Realm searches roles before validating password

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/ELY-760?page=com.atlassian.jira.plugin.sy... ] Jan Kalina commented on ELY-760: -------------------------------- This mean to divide LdapSecurityRealm.getIdentity(), so extractFilteredAttributes() will be called as part of getAuthorizationIdentity() or getAttributes(). This mean to change design - LdapIdentity.attributes will not be final anymore, will be lazy loaded. > Elytron Ldap Realm searches roles before validating password > ------------------------------------------------------------ > > Key: ELY-760 > URL: https://issues.jboss.org/browse/ELY-760 > Project: WildFly Elytron > Issue Type: Bug > Components: Realms > Affects Versions: 1.1.0.Beta13 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > In Ldap Realm roles are searched before actual user password is validated. Ldap Realm uses following flow: > # searching for username > # searching for roles (i.e. searching for attributes) > # validating password for username > It means even if wrong password is used then roles in LDAP are searched. Password should be validated before some roles are searched. Current behavior can result to performance issues. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2151) SYM_ENCRYPT: allow other keystore types besides JCEKS

by Bela Ban (JIRA)

[ https://issues.jboss.org/browse/JGRP-2151?page=com.atlassian.jira.plugin.... ] Bela Ban commented on JGRP-2151: -------------------------------- Done, on master and 3.6 branches. Needs to be tested, e.g. with a cert created by openssl. > SYM_ENCRYPT: allow other keystore types besides JCEKS > ----------------------------------------------------- > > Key: JGRP-2151 > URL: https://issues.jboss.org/browse/JGRP-2151 > Project: JGroups > Issue Type: Feature Request > Reporter: Bela Ban > Assignee: Bela Ban > Fix For: 4.0, 3.6.13 > > > Currently SYM_ENCRYPT accepts only keystores of type JCEKS. Other types such as JKS or PKCS12 are not permitted. > Solution: add an attribute keystore_type to SYM_ENCRYPT, which will allow for other keystore types to be used. > E.g. keystore_type="PKCS12" means that an external certificate generated by openssl will be usable. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2151) SYM_ENCRYPT: allow other keystore types besides JCEKS

by Bela Ban (JIRA)

Bela Ban created JGRP-2151: ------------------------------ Summary: SYM_ENCRYPT: allow other keystore types besides JCEKS Key: JGRP-2151 URL: https://issues.jboss.org/browse/JGRP-2151 Project: JGroups Issue Type: Feature Request Reporter: Bela Ban Assignee: Bela Ban Fix For: 4.0, 3.6.13 Currently SYM_ENCRYPT accepts only keystores of type JCEKS. Other types such as JKS or PKCS12 are not permitted. Solution: add an attribute keystore_type to SYM_ENCRYPT, which will allow for other keystore types to be used. E.g. keystore_type="PKCS12" means that an external certificate generated by openssl will be usable. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017