February 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-1059) RestartParentResourceAdd/RemoveHandler should handle capability registration

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1059?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1059: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > RestartParentResourceAdd/RemoveHandler should handle capability registration > ---------------------------------------------------------------------------- > > Key: WFCORE-1059 > URL: https://issues.jboss.org/browse/WFCORE-1059 > Project: WildFly Core > Issue Type: Bug > Components: Domain Management > Affects Versions: 2.0.0.CR6 > Reporter: Paul Ferraro > Assignee: Tomaz Cerar > Fix For: 3.0.0.Alpha25 > > > RestartParentResourceAddHandler and RestartParentResourceRemoveHandler do not extend the respective AbstractAddStepHandler and AbstractRemoveStepHandler base classes, and thus does not handle capability [un]registration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-644) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-644?page=com.atlassian.jira.plugin... ] Kabir Khan updated WFCORE-644: ------------------------------ Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores > ----------------------------------------------------------------------------------- > > Key: WFCORE-644 > URL: https://issues.jboss.org/browse/WFCORE-644 > Project: WildFly Core > Issue Type: Bug > Components: CLI > Reporter: Derek Horton > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 3.0.0.Alpha25 > > > The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores. Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file. > This is problematic when the JVM is running in FIPS mode. > The cli throws the following exception on startup: > $ ./bin/jboss-cli.sh > org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used > at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541) > at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291) > at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76) > at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294) > at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277) > at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at org.jboss.modules.Module.run(Module.java:312) > at org.jboss.modules.Main.main(Main.java:460) > Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used > at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126) > at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89) > at javax.net.ssl.SSLContext.init(SSLContext.java:283) > at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537) > ... 11 more > It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file: > JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11" > JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword" -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1944) Convert domain-management tests to reference Elytron SecurityRealm and remove old CallbackHandler code.

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1944?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1944: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Convert domain-management tests to reference Elytron SecurityRealm and remove old CallbackHandler code. > ------------------------------------------------------------------------------------------------------- > > Key: WFCORE-1944 > URL: https://issues.jboss.org/browse/WFCORE-1944 > Project: WildFly Core > Issue Type: Task > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 3.0.0.Alpha25 > > > The important pieces of code within the legacy security realms are being wrapped using Elytron components, items like the legacy CallbackHandlers can be removed but existing tests need porting to call Elytron APIs. > The legacy tests do need to be retained as they offer a good level of regression testing for the legacy realms. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1897) Follow up WFCORE-296 once migrated to Remoting 5

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1897?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1897: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Follow up WFCORE-296 once migrated to Remoting 5 > ------------------------------------------------ > > Key: WFCORE-1897 > URL: https://issues.jboss.org/browse/WFCORE-1897 > Project: WildFly Core > Issue Type: Task > Components: Remoting > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha25 > > > WFCORE-296 adds support for the schemes remote:// remote_http:// and remote+https:// - once we switch to centralised Endpoints we need to ensure this new set is still supported along with the previous set. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1802) Integrate OpenSSL Provider registration with Elytron

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1802?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1802: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Integrate OpenSSL Provider registration with Elytron > ---------------------------------------------------- > > Key: WFCORE-1802 > URL: https://issues.jboss.org/browse/WFCORE-1802 > Project: WildFly Core > Issue Type: Task > Components: Security > Reporter: Stuart Douglas > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha25 > > > We need to remove the following block from SecurityRealmResourceDefinition: - > {code} > static { > //register the Openssl Provider, if possible > //not really sure if this is the best place for it > try { > OpenSSLProvider.register(); > DomainManagementLogger.ROOT_LOGGER.registeredOpenSSLProvider(); > } catch (Throwable t){ > DomainManagementLogger.ROOT_LOGGER.debugf(t, "Failed to register OpenSSL provider"); > } > } > {code} > Registration will then be possible within the Elytron subsystem configuration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2025) CLI SSLContext Priority

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2025?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2025: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > CLI SSLContext Priority > ----------------------- > > Key: WFCORE-2025 > URL: https://issues.jboss.org/browse/WFCORE-2025 > Project: WildFly Core > Issue Type: Task > Components: CLI, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 3.0.0.Alpha25 > > > We have three different places an SSLContext could come from for the CLI: - > # CLI Configuration > # AuthenticationClient Configuration > # Default interactive SSLContext > We need to ensure they are prioritised as above. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2016) Change sasl-authentication-factor for management auth works after reload, but not after server restart

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2016?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2016: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Change sasl-authentication-factor for management auth works after reload, but not after server restart > ------------------------------------------------------------------------------------------------------ > > Key: WFCORE-2016 > URL: https://issues.jboss.org/browse/WFCORE-2016 > Project: WildFly Core > Issue Type: Bug > Components: Domain Management, Security > Reporter: Zach Rhoads > Assignee: Darran Lofthouse > Fix For: 3.0.0.Alpha25 > > > I can successfully configure a new sasl-authentication-factory and assign it to the management interface: > {code} > /subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir) > /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add() > /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password(clear={password="password123"}) > /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add-attribute(name=Roles, value=["Admin","Guest"]) > /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles) > /subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=login-permission-mapper) > /subsystem=elytron/sasl-authentication-factory=example-sasl-auth:add(sasl-server-factory=configured,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=exampleSaslRealm}]}]) > /core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=example-sasl-auth) > reload > {code} > after reload, i am forced to re-authenticate and it succeeds: > {code} > [standalone@localhost:9990 /] reload > Authenticating against security realm: exampleSaslRealm > Username: user1 > Password: > [standalone@localhost:9990 /] > {code} > Once i restart the server though and try to connect, i get a timeout: > {code} > $ ./jboss-cli.sh -c > Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0023: Could not connect to remote+http://localhost:9990. The connection timed out: WFLYPRT0023: Could not connect to remote+http://localhost:9990. The connection timed out > {code} > It also fails if i force no local auth: > {code} > $ ./jboss-cli.sh -c --no-local-auth > Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0023: Could not connect to remote+http://localhost:9990. The connection timed out: WFLYPRT0023: Could not connect to remote+http://localhost:9990. The connection timed out > {code}/ -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1965) Remove the jboss-logging-annotations dependency from the core feature pack.

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1965?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1965: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Remove the jboss-logging-annotations dependency from the core feature pack. > --------------------------------------------------------------------------- > > Key: WFCORE-1965 > URL: https://issues.jboss.org/browse/WFCORE-1965 > Project: WildFly Core > Issue Type: Task > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 3.0.0.Alpha25 > > > This was added inadvertently with some other changes: - > {noformat} > <dependency> > <groupId>org.jboss.logging</groupId> > <artifactId>jboss-logging-annotations</artifactId> > </dependency> > {noformat} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1958) Clean up testsuite Elytron registration

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1958?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1958: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Clean up testsuite Elytron registration > --------------------------------------- > > Key: WFCORE-1958 > URL: https://issues.jboss.org/browse/WFCORE-1958 > Project: WildFly Core > Issue Type: Task > Components: Test Suite > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha25 > > > In a couple of places we have artificially registered the WildFly Elytron Security provider, we need to address this so tests can automatically have it available to them.. > Also re-enable the following test case: - > * org.jboss.as.test.integration.domain.suites.FullRbacProviderRunAsTestSuite -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1964) Internal ModelControllerClient should bypass access control by default

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1964?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1964: ------------------------------- Fix Version/s: 3.0.0.Alpha25 (was: 3.0.0.Alpha24) > Internal ModelControllerClient should bypass access control by default > ---------------------------------------------------------------------- > > Key: WFCORE-1964 > URL: https://issues.jboss.org/browse/WFCORE-1964 > Project: WildFly Core > Issue Type: Task > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha25 > > > This is continuing compatibility where in-vm clients can perform actions without triggering management access control. > It would be nice also if we could find a way to make it possible to selectively disable this for cases where we want identity propagation between applications and the management tier. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2017