[JBoss JIRA] (ELY-1436) Log jdbc-realm key-mapper processing
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1436?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse reassigned ELY-1436:
-------------------------------------
Assignee: (was: Darran Lofthouse)
> Log jdbc-realm key-mapper processing
> ------------------------------------
>
> Key: ELY-1436
> URL: https://issues.jboss.org/browse/ELY-1436
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
>
> User reported problem with getting work jdbc_realm with bcrypt mapper. He had configured org.wildfly.security to log TRACE messages, but log does not provide any useful information regarding mapping password from DB.
> In this case seems problem was in mixing base64 vs. modular crypt format.
> Looking into PasswordKeyMapper there is a lot of logic and lot of steps which can get wrong. So logging some TRACE messages can hint user what is going on and what went wrong.
> Also I have noticed there is unhandled exception. Please at least log some TRACE message.
> {code:java|title=PasswordKeyMapper.java}
> } catch (InvalidKeySpecException e) {
> // fall out (unlikely but possible)
> }
> {code}
> [1] https://developer.jboss.org/message/977727
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1436) Log jdbc-realm key-mapper processing
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1436?page=com.atlassian.jira.plugin.s... ]
Martin Choma updated ELY-1436:
------------------------------
Summary: Log jdbc-realm key-mapper processing (was: Elytron, log jdbc-realm key-mapper processing)
> Log jdbc-realm key-mapper processing
> ------------------------------------
>
> Key: ELY-1436
> URL: https://issues.jboss.org/browse/ELY-1436
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> User reported problem with getting work jdbc_realm with bcrypt mapper. He had configured org.wildfly.security to log TRACE messages, but log does not provide any useful information regarding mapping password from DB.
> In this case seems problem was in mixing base64 vs. modular crypt format.
> Looking into PasswordKeyMapper there is a lot of logic and lot of steps which can get wrong. So logging some TRACE messages can hint user what is going on and what went wrong.
> Also I have noticed there is unhandled exception. Please at least log some TRACE message.
> {code:java|title=PasswordKeyMapper.java}
> } catch (InvalidKeySpecException e) {
> // fall out (unlikely but possible)
> }
> {code}
> [1] https://developer.jboss.org/message/977727
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1436) Elytron, log jdbc-realm key-mapper processing
by Martin Choma (JIRA)
Martin Choma created ELY-1436:
---------------------------------
Summary: Elytron, log jdbc-realm key-mapper processing
Key: ELY-1436
URL: https://issues.jboss.org/browse/ELY-1436
Project: WildFly Elytron
Issue Type: Bug
Reporter: Martin Choma
Assignee: Darran Lofthouse
User reported problem with getting work jdbc_realm with bcrypt mapper. He had configured org.wildfly.security to log TRACE messages, but log does not provide any useful information regarding mapping password from DB.
In this case seems problem was in mixing base64 vs. modular crypt format.
Looking into PasswordKeyMapper there is a lot of logic and lot of steps which can get wrong. So logging some TRACE messages can hint user what is going on and what went wrong.
Also I have noticed there is unhandled exception. Please at least log some TRACE message.
{code:java|title=PasswordKeyMapper.java}
} catch (InvalidKeySpecException e) {
// fall out (unlikely but possible)
}
{code}
[1] https://developer.jboss.org/message/977727
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1435) Elytron BCrypt Mapper Not Working with jBCrypt
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1435?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse commented on ELY-1435:
---------------------------------------
At this point in time we would not be able to 'change' the format - .Final releases of WildFly Elytron are out there so unless a bug means a specific feature is impossible to use we need to keep it supported as-is for backwards compatibility.
I haven't dug into the realms mapping implementation for a while but maybe we can come up with something that would support both types, ideally automatically but if not based on configuration.
> Elytron BCrypt Mapper Not Working with jBCrypt
> ----------------------------------------------
>
> Key: ELY-1435
> URL: https://issues.jboss.org/browse/ELY-1435
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.0.0.Final
> Environment: Wildfly 11.0.0.Final
> Windows Server 2008
> JDK 9.0.1
> Reporter: Paul Carroll
> Priority: Minor
>
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3408) Error on startup when multiple FIPS Credential Stores are configured
by Tomas Hofman (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3408?page=com.atlassian.jira.plugi... ]
Tomas Hofman moved JBEAP-13731 to WFCORE-3408:
----------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-3408 (was: JBEAP-13731)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 4.0.0.Alpha2
(was: 7.1.0.CR3)
> Error on startup when multiple FIPS Credential Stores are configured
> --------------------------------------------------------------------
>
> Key: WFCORE-3408
> URL: https://issues.jboss.org/browse/WFCORE-3408
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: Tomas Hofman
> Assignee: Tomas Hofman
> Priority: Critical
>
> In case there is multiple external PKCS11 credential stores configured, intermittently it happens on startup exception occurs. Seems more CS are configured, it is bigger chance to hit error. If only one CS is configured error does not occur.
> We have automatic tests with 3 CS and so far we have not hit this issue. With 5 CS from reproducer it happens nearly with each restart. I hit this during discussing analysis of advanced keystore features [1] with Farah.
> Multiple CS can be expected by users, when they want to logically separate CS files for some reason. However technically everything can be stored in one CS.
> That is analogy of https://issues.jboss.org/browse/JBEAP-11693 for PKCS11 credential store. Fix for that issue was proper synchronization of PKCS11 keystore loading. I assume something similar will be needed here.
> If there is missing synchronization of PKCS11 keystore in Credential store implementation, that can in theory occur in combination of 1 CS and multiple PKCS11 keystores as well. However this scenario is tested for and such problem haven't occurred yet.
> [~bmaxwell] Is GSS is ok with this being critical since a workaround exists?
> External Credential Store is new feature of Elytron tracked by EAP7-277.
> {code:title=KeyStoreException: invalid KeyStore state: found N secret keys sharing CKA_LABEL [my-key]}
> 09:56:15,574 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("credential-store" => "MyStore")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.MyStore" => "WFLYELY00004: Unable to start the service.
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: java.security.KeyStoreException: expected but could not find secret key
> Caused by: java.security.KeyStoreException: expected but could not find secret key"}}
> 09:56:15,575 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("credential-store" => "MyStore4")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.MyStore4" => "WFLYELY00004: Unable to start the service.
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: java.security.KeyStoreException: invalid KeyStore state: found 2 secret keys sharing CKA_LABEL [my-key]
> Caused by: java.security.KeyStoreException: invalid KeyStore state: found 2 secret keys sharing CKA_LABEL [my-key]"}}
> 09:56:15,576 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("credential-store" => "MyStore5")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.MyStore5" => "WFLYELY00004: Unable to start the service.
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: java.security.KeyStoreException: invalid KeyStore state: found 3 secret keys sharing CKA_LABEL [my-key]
> Caused by: java.security.KeyStoreException: invalid KeyStore state: found 3 secret keys sharing CKA_LABEL [my-key]"}}
> {code}
> [1] https://developer.jboss.org/wiki/AnalysisDesign-AdvancedElytronKey-storeM...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3406) find-non-progressing-operation doesn't return the blocking operation
by Chao Wang (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3406?page=com.atlassian.jira.plugi... ]
Chao Wang reassigned WFCORE-3406:
---------------------------------
Assignee: Chao Wang
> find-non-progressing-operation doesn't return the blocking operation
> --------------------------------------------------------------------
>
> Key: WFCORE-3406
> URL: https://issues.jboss.org/browse/WFCORE-3406
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Reporter: Claudio Miranda
> Assignee: Chao Wang
>
> The find-non-progressing-operation operation of /core-service=management/service=management-operations doesn't return the operation id of a blocking operation on standalone. It works on domain mode.
> To simulate the blocking operation, install the BlockingExtension from testsuite and call
> {code}
> /subsystem=blocker-test:block(block-point=MODEL,block-time=50000}
> {code}
> Open another jboss-cli.sh and call
> {code}
> /core-service=management/service=management-operations:find-non-progressing-operation
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3405) The find-non-progressing-operation op is not accessible on a domain server
by Chao Wang (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3405?page=com.atlassian.jira.plugi... ]
Chao Wang reassigned WFCORE-3405:
---------------------------------
Assignee: Chao Wang
> The find-non-progressing-operation op is not accessible on a domain server
> --------------------------------------------------------------------------
>
> Key: WFCORE-3405
> URL: https://issues.jboss.org/browse/WFCORE-3405
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Affects Versions: 4.0.0.Alpha2
> Reporter: Brian Stansberry
> Assignee: Chao Wang
> Priority: Minor
>
> The find-non-progressing-operation op isn't marked as read-only or runtime-only (it's both) so it isn't accessible to external callers on a domain server.
> The related cancel-non-progressing-operation is marked runtime-only, so it's accessible. There's no point allow cancellation (which changes things) and not allowing a find (which just reads), so we should make the find visible.
> A requirement of fixing this though is there need to be new test methods added to OperationCancellationTest case that test finding and cancelling the op via the server resource and not just via the host. The existing testFindNonProgressingOperation() can just have a second "find" op added after the current one, and then new variants of testCancellingNonProgressingDomainRollout() and testFindNonProgressingDomainRollout() can be added that use the full server address for the find/cancel op.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months