[JBoss JIRA] (WFLY-8199) CS tool, log exception on error
by Martin Choma (JIRA)
Martin Choma created WFLY-8199:
----------------------------------
Summary: CS tool, log exception on error
Key: WFLY-8199
URL: https://issues.jboss.org/browse/WFLY-8199
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
When I try to create CS with invalid options I get just {{ELY09526: Unable to initialize credential store}}. For example:
* I tried JKS, but JKS is unable to store secret keys
{code}
[mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JKS" --password mycspassword --salt 12345678 --iteration 230 --summary
ELY09526: Unable to initialize credential store[mchoma@localhost bin]$
{code}
* I tried BKS, but have not BC among providers
{code}
java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=BKS" --password mycspassword --salt 12345678 --iteration 230 --summary
ELY09526: Unable to initialize credential store
{code}
It would be useful if underlying exception is logged as well. For example subsystem throws this exception and it is obvious what is wrong.
{code}
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09526: Unable to initialize credential store
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:834)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:758)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:163)
at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:119)
at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:117)
... 5 more
Caused by: java.security.KeyStoreException: BKS not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:832)
... 9 more
Caused by: java.security.NoSuchAlgorithmException: BKS KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 10 more
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8198) Shift WFLY-3858 solution to something driven by capabilities
by Brian Stansberry (JIRA)
Brian Stansberry created WFLY-8198:
--------------------------------------
Summary: Shift WFLY-3858 solution to something driven by capabilities
Key: WFLY-8198
URL: https://issues.jboss.org/browse/WFLY-8198
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Brian Stansberry
Something for 12.
The proposed WFLY-3858 fix using a check of the infinispan subsystem model and a hard coded service name to control wiring. It be driven by capabilities.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8197) Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
by Jan Pazdziora (JIRA)
[ https://issues.jboss.org/browse/WFLY-8197?page=com.atlassian.jira.plugin.... ]
Jan Pazdziora commented on WFLY-8197:
-------------------------------------
https://bugzilla.redhat.com/show_bug.cgi?id=1165743#c7 suggests the (default) JKS + VAULT.dat are not supported. The question is if something (vault.sh?) should do the conversion from JKS to JCEKS or if the keytool parameters should specify JCEKS in the first place.
> Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-8197
> URL: https://issues.jboss.org/browse/WFLY-8197
> Project: WildFly
> Issue Type: Bug
> Environment: wildfly-10.1.0-7.fc25.noarch
> Reporter: Jan Pazdziora
> Assignee: Jason Greene
> Priority: Trivial
>
> I try to follow the README in this quickstart but the parameters to the keytool command seem to create keystore which vault.sh does not like, resulting in
> {noformat}
> Problem occurred:
> java.lang.Exception: WFLYSEC0045: Exception encountered:
> at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:194)
> at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:212)
> at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
> at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.modules.Module.run(Module.java:330)
> at org.jboss.modules.Main.main(Main.java:505)
> Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:487)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:214)
> at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:191)
> ... 9 more
> Caused by: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVersionedVaultContent(PicketBoxSecurityVault.java:609)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:480)
> ... 11 more
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8197) Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
by Jan Pazdziora (JIRA)
[ https://issues.jboss.org/browse/WFLY-8197?page=com.atlassian.jira.plugin.... ]
Jan Pazdziora commented on WFLY-8197:
-------------------------------------
Using JCEKS, AES, and 256, for example with
{noformat}
keytool -storetype jceks -genseckey -alias vault -keystore vault.keystore -keyalg AES -keysize 256 -storepass vault22 -keypass vault22 -dname "CN=Picketbox vault,OU=picketbox,O=JBoss,L=chicago,ST=il,C=us"
{noformat}
Makes both commands pass.
But I have no idea if that's what is intended here.
> Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-8197
> URL: https://issues.jboss.org/browse/WFLY-8197
> Project: WildFly
> Issue Type: Bug
> Environment: wildfly-10.1.0-7.fc25.noarch
> Reporter: Jan Pazdziora
> Assignee: Jason Greene
> Priority: Trivial
>
> I try to follow the README in this quickstart but the parameters to the keytool command seem to create keystore which vault.sh does not like, resulting in
> {noformat}
> Problem occurred:
> java.lang.Exception: WFLYSEC0045: Exception encountered:
> at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:194)
> at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:212)
> at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
> at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.modules.Module.run(Module.java:330)
> at org.jboss.modules.Main.main(Main.java:505)
> Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:487)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:214)
> at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:191)
> ... 9 more
> Caused by: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVersionedVaultContent(PicketBoxSecurityVault.java:609)
> at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:480)
> ... 11 more
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8197) Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
by Jan Pazdziora (JIRA)
Jan Pazdziora created WFLY-8197:
-----------------------------------
Summary: Following https://github.com/wildfly/quickstart/tree/10.x/security-vault-askpass with wildfly-10.1.0-7.fc25.noarch fails
Key: WFLY-8197
URL: https://issues.jboss.org/browse/WFLY-8197
Project: WildFly
Issue Type: Bug
Environment: wildfly-10.1.0-7.fc25.noarch
Reporter: Jan Pazdziora
Assignee: Jason Greene
Priority: Trivial
I try to follow the README in this quickstart but the parameters to the keytool command seem to create keystore which vault.sh does not like, resulting in
{noformat}
Problem occurred:
java.lang.Exception: WFLYSEC0045: Exception encountered:
at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:194)
at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:212)
at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.modules.Module.run(Module.java:330)
at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:487)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:214)
at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:191)
... 9 more
Caused by: java.lang.RuntimeException: PBOX00137: Security Vault does not contain SecretKey entry under alias (vault)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVersionedVaultContent(PicketBoxSecurityVault.java:609)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:480)
... 11 more
{noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8196) CS tool, invalid options are accepted
by Martin Choma (JIRA)
Martin Choma created WFLY-8196:
----------------------------------
Summary: CS tool, invalid options are accepted
Key: WFLY-8196
URL: https://issues.jboss.org/browse/WFLY-8196
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
Curently if I provide invalid option (e.g. --option_does_not_exists) it is accepted(ignored) and command is performed
{code}
[mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists
Alias "myalias" has been successfully stored
Credential store command summary:
--------------------------------------
/subsystem=elytron/credential-store=test:add(uri="cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS",relative-to=jboss.server.data.dir,credential-reference={clear-text="MASK-uNWeyrmbByBEjgZM1FAPQW==;12345678;230"})
{code}
It will be safer if command fail instead. It will guard users from unintentional command beeing performed.
{code}
[mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists
wildfly-elytron-tool: invalid option -- 'option_does_not_exists'
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8195) CS tool, provide way to create empty credential store
by Martin Choma (JIRA)
Martin Choma created WFLY-8195:
----------------------------------
Summary: CS tool, provide way to create empty credential store
Key: WFLY-8195
URL: https://issues.jboss.org/browse/WFLY-8195
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
There is no way to create empty credential store. Curently credential store can be created only with adding alias as well.
{code}
java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary
{code}
I would expect something like
{code}
java -jar wildfly-elytron-tool.jar credential-store --create --location="test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8194) JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-8194?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-8194:
-------------------------------
Steps to Reproduce:
1) Add user - add following line to {{standalone/configuration/mgmt-users.properties}}
{code}
user1=pass@123
{code}
2) Configure application server:
{code}
/subsystem=elytron/sasl-authentication-factory=elytronSaslAuthnFactory:add(security-domain=ManagementDomain,sasl-server-factory=global,mechanism-configurations=[{mechanism-name=PLAIN}])
/subsystem=elytron/properties-realm=ManagementRealm:write-attribute(name=users-properties.plain-text,value=true)
{code}
3) Change http-interface to following:
{code}
<http-interface http-authentication-factory="management-http-authentication">
<http-upgrade enabled="true" sasl-authentication-factory="elytronSaslAuthnFactory"/>
<socket-binding http="management-http"/>
</http-interface>
{code}
4) try to authenticate to jboss CLI:
{code}
./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth
Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 25b770fb to localhost/127.0.0.1:9990 of endpoint "cli-client" <5a992706>
{code}
was:
These steps work correctly with EAP 7.1.0.DR11, but fail with EAP 7.1.0.DR12:
1) Add user - add following line to {{standalone/configuration/mgmt-users.properties}}
{code}
user1=pass@123
{code}
2) Configure application server:
{code}
/subsystem=elytron/sasl-authentication-factory=elytronSaslAuthnFactory:add(security-domain=ManagementDomain,sasl-server-factory=global,mechanism-configurations=[{mechanism-name=PLAIN}])
/subsystem=elytron/properties-realm=ManagementRealm:write-attribute(name=users-properties.plain-text,value=true)
{code}
3) Change http-interface to following:
{code}
<http-interface http-authentication-factory="management-http-authentication">
<http-upgrade enabled="true" sasl-authentication-factory="elytronSaslAuthnFactory"/>
<socket-binding http="management-http"/>
</http-interface>
{code}
4) try to authenticate to jboss CLI:
{code}
./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth
Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: JBREM000202: Abrupt close on Remoting connection 25b770fb to localhost/127.0.0.1:9990 of endpoint "cli-client" <5a992706>
{code}
> JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
> ----------------------------------------------------------------------------------------------------
>
> Key: WFLY-8194
> URL: https://issues.jboss.org/browse/WFLY-8194
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8194) JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
by Ondrej Lukas (JIRA)
Ondrej Lukas created WFLY-8194:
----------------------------------
Summary: JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
Key: WFLY-8194
URL: https://issues.jboss.org/browse/WFLY-8194
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Blocker
In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details.
This feature works correctly in EAP 7.1.0.DR11.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFLY-8194) JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-8194?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-8194:
-------------------------------
Description: In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details. (was: In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details.
This feature works correctly in EAP 7.1.0.DR11.)
> JBoss CLI is not able to connect to interface secured by Elytron SASL factories with PLAIN mechanism
> ----------------------------------------------------------------------------------------------------
>
> Key: WFLY-8194
> URL: https://issues.jboss.org/browse/WFLY-8194
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> In case when PLAIN mechanism is used for Elytron SASL factories used by any of management-interfaces then JBoss CLI is not able to connect to the server. This issue happens with http-interface as well as native-interface. See Steps to Reproduce for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months