[JBoss JIRA] (WFCORE-2383) Elytron subsystem is unable to configure SunPKCS11 provider
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2383?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8108 to WFCORE-2383:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2383 (was: WFLY-8108)
Component/s: Security
(was: Security)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Elytron subsystem is unable to configure SunPKCS11 provider
> -----------------------------------------------------------
>
> Key: WFCORE-2383
> URL: https://issues.jboss.org/browse/WFCORE-2383
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 4.0.0.Alpha1
>
>
> Trying to configure server to run in FIPS mode using subsystem capabilities.
> I can't configure throught subsystem same as in java.security file:
> {code:title=java.security}
> security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg
> {code}
> because if I try to pass configuration file or configuration
> {code}
> /subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], path=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg)
> /subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], configuration={ \
> name=nssModule, value=fips \
> name=nssSecmodDirectory, value=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/fipsdb \
> name=nssLibraryDirectory, value=/usr/lib64 \
> name=name, value=testPkcs \
> name=nssDbMode, value=readOnly \
> }
> {code}
> I get exception
> {code}
> 10:46:28,630 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.providers.fips: org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument
> at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:185)
> at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:143)
> at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument
> at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:98)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at java.lang.Class.newInstance(Class.java:442)
> at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:156)
> ... 7 more
> 10:46:28,630 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 10) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("provider-loader" => "fips")
> ]) - failure description: {
> "WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.fips" => "org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument
> Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument"},
> "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.providers.fips"]
> }
> {code}
> It occures because loading of providers is in subsystem implemented in 2 steps
> * create provider instance (call noargs constructor)
> * optionally load configuration
> But {{sun.security.pkcs11.SunPKCS11}} can't be created without configuration [1]
> [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2384) Elytron subsystem is unable to configure com.sun.net.ssl.internal.ssl.Provider in FIPS mode
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2384?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8112 to WFCORE-2384:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2384 (was: WFLY-8112)
Component/s: Security
(was: Security)
> Elytron subsystem is unable to configure com.sun.net.ssl.internal.ssl.Provider in FIPS mode
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-2384
> URL: https://issues.jboss.org/browse/WFCORE-2384
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> Trying to configure server to run in FIPS mode using subsystem capabilities.
> I can't configure throught subsystem same as in java.security file:
> {code:title=java.security}
> security.provider.5=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-testPkcs
> {code}
> because there is no possibility in subsystem to call provider constructor with arguments (I don't mean providers configuration)
> Subsystem implements provider loading in 2 steps
> * create provider instance (call noargs constructor)
> * optionally load configuration
> But to create {{com.sun.net.ssl.internal.ssl.Provider}} in FIPS mode constructor with arguments must be called [1]
> [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2385) There are two different error messages for adding duplicate record to CS by same command.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2385?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8005 to WFCORE-2385:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2385 (was: WFLY-8005)
Component/s: Security
(was: Security)
> There are two different error messages for adding duplicate record to CS by same command.
> -----------------------------------------------------------------------------------------
>
> Key: WFCORE-2385
> URL: https://issues.jboss.org/browse/WFCORE-2385
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> There are two different error messages for adding duplicate record to CS by same command.
> *How to reproduce*
> {code}
> /subsystem=elytron/credential-store=cs007:add(uri="cr-store://test/customcredCS007.jceks?create.storage=true", credential-reference={clear-text=pass123})
> {code}
> {code}
> /subsystem=elytron/credential-store=cs007/alias=alias001:add(secret-value=secret)
> {code}
> And now we try add there same alias with exactly same name and with name in uppercase
> {code}
> /subsystem=elytron/credential-store=cs007/alias=alias001:add(secret-value=secret)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0212: Duplicate resource [
> (\"subsystem\" => \"elytron\"),
> (\"credential-store\" => \"cs007\"),
> (\"alias\" => \"alias001\")
> ]",
> "rolled-back" => true
> }
> {code}
> {code}
> /subsystem=elytron/credential-store=cs007/alias=ALIAS001:add(secret-value=secret)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYELY00913: Credential alias \"alias001\" of credential type \"org.wildfly.security.credential.PasswordCredential\" already exists in the store",
> "rolled-back" => true
> }
> {code}
> You can see different error message.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2378) Regression against 7.0.GA, Kerberos over CLI
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2378?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8222 to WFCORE-2378:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2378 (was: WFLY-8222)
Component/s: Security
(was: Security)
> Regression against 7.0.GA, Kerberos over CLI
> --------------------------------------------
>
> Key: WFCORE-2378
> URL: https://issues.jboss.org/browse/WFCORE-2378
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: regression
>
> It is not possible to authenticate to CLI using kerberos.
> Same configuration works well against 7.0.0.GA
> {code:titl=server.log on TRACE level}
> 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) configuredMaxReceiveBuffer=16777215
> 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) relaxComplianceChecks=false
> 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) QOP={AUTH}
> 17:32:21,109 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-2) Our name 'remote(a)localhost.localdomain'
> 17:32:21,113 INFO [stdout] (management I/O-2) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
> 17:32:21,113 INFO [stdout] (management I/O-2) Loaded from Java config
> 17:32:21,114 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05029: [GSSAPI] Unable to create GSSContext [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)]
> at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:77)
> at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
> at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:77)
> at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
> at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
> at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
> at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
> at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:79)
> at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
> at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
> at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
> at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
> at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
> at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
> at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
> at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
> at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:59)
> at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:50)
> at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
> at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:259)
> at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:125)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
> Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
> at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127)
> at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
> at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
> at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:62)
> at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154)
> at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:72)
> ... 24 more
> 17:32:21,115 TRACE [org.jboss.remoting.remote] (management I/O-2) Rejected invalid SASL mechanism GSSAPI
> 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 5 bytes
> 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 17:32:21,115 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received 59 bytes
> 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received message java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Received java.nio.HeapByteBuffer[pos=0 lim=55 cap=8192]
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capabilities request
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: version 1
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote endpoint name "cli-client"
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: message close protocol supported
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote version is "5.0.0.Beta17-redhat-1"
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels in is "40"
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: remote channels out is "40"
> 17:32:21,116 TRACE [org.jboss.remoting.remote.server] (management I/O-2) Server received capability: authentication service
> 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Sent 77 bytes
> 17:32:21,116 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Flushed channel
> 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) No buffers in queue for message header
> 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Allocated fresh buffers
> 17:32:21,118 TRACE [org.jboss.remoting.remote.connection] (management I/O-2) Received EOF
> 17:32:21,118 TRACE [org.jboss.remoting.remote] (management I/O-2) Received connection end-of-stream
> 17:32:21,441 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) CLI executor output:
> 17:32:21,441 INFO [org.jboss.eapqe.krbldap.eap7.utils.CustomCLIExecutor] (main) Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb5-945898887586223869.conf
> Loaded from Java config
> >>>KinitOptions cache name is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb5cc
> >>>DEBUG <CCacheInputStream> client principal is hnelson7259cb36-69b2-4e28-afb5-f668120a8dea(a)JBOSS.ORG
> >>>DEBUG <CCacheInputStream> server principal is krbtgt/JBOSS.ORG(a)JBOSS.ORG
> >>>DEBUG <CCacheInputStream> key type: 17
> >>>DEBUG <CCacheInputStream> auth time: Thu Feb 23 17:32:11 CET 2017
> >>>DEBUG <CCacheInputStream> start time: Thu Feb 23 17:32:11 CET 2017
> >>>DEBUG <CCacheInputStream> end time: Fri Feb 24 01:32:11 CET 2017
> >>>DEBUG <CCacheInputStream> renew_till time: null
> >>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
> Found ticket for hnelson7259cb36-69b2-4e28-afb5-f668120a8dea(a)JBOSS.ORG to go to krbtgt/JBOSS.ORG(a)JBOSS.ORG expiring on Fri Feb 24 01:32:11 CET 2017
> Entered Krb5Context.initSecContext with state=STATE_NEW
> Service ticket not found in the subject
> >>> Credentials acquireServiceCreds: same realm
> default etypes for default_tgs_enctypes: 17.
> >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KdcAccessibility: reset
> >>> KrbKdcReq send: kdc=localhost.localdomain UDP:6088, timeout=5000, number of retries =3, #bytes=648
> >>> KDCCommunication: kdc=localhost.localdomain UDP:6088, timeout=5000,Attempt =1, #bytes=648
> >>> KrbKdcReq send: #bytes read=634
> >>> KdcAccessibility: remove localhost.localdomain:6088
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
> >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> Krb5Context setting mySeqNumber to: 951540638
> Krb5Context setting peerSeqNumber to: 0
> Created InitSecContextToken:
> 0000: 01 00 6E 82 02 2C 30 82 02 28 A0 03 02 01 05 A1 ..n..,0..(......
> 0010: 03 02 01 0E A2 07 03 05 00 00 00 00 00 A3 82 01 ................
> 0020: 2C 61 82 01 28 30 82 01 24 A0 03 02 01 05 A1 0B ,a..(0..$.......
> 0030: 1B 09 4A 42 4F 53 53 2E 4F 52 47 A2 2A 30 28 A0 ..JBOSS.ORG.*0(.
> 0040: 03 02 01 00 A1 21 30 1F 1B 06 72 65 6D 6F 74 65 .....!0...remote
> 0050: 1B 15 6C 6F 63 61 6C 68 6F 73 74 2E 6C 6F 63 61 ..localhost.loca
> 0060: 6C 64 6F 6D 61 69 6E A3 81 E3 30 81 E0 A0 03 02 ldomain...0.....
> 0070: 01 11 A2 81 D8 04 81 D5 AF 46 53 89 B1 22 66 A6 .........FS.."f.
> 0080: C7 3C 9B 50 EB 36 7C D7 95 45 C9 46 BE A7 17 43 .<.P.6...E.F...C
> 0090: CD 9E DB B1 34 F7 1E 89 A4 D8 7B 2D 37 F9 4D DE ....4......-7.M.
> 00A0: 8C B6 9D 07 83 2B 3E BF 80 34 34 CB 52 B9 01 95 .....+>..44.R...
> 00B0: AF 07 D1 8A 15 F8 7D 29 56 03 63 36 13 44 17 0B .......)V.c6.D..
> 00C0: C9 31 CD 6F 41 35 5D B2 5A 5F 25 27 20 8D DE 9A .1.oA5].Z_%' ...
> 00D0: 1B A9 26 A9 22 E2 81 4C 18 BB F9 15 27 A4 75 68 ..&."..L....'.uh
> 00E0: AF FE F4 2D 84 6D 44 24 73 C8 18 C0 3E 85 3E 0C ...-.mD$s...>.>.
> 00F0: 6E 2C 89 FA 54 0B F6 E4 D3 C9 DA A3 61 14 5F 97 n,..T.......a._.
> 0100: 1D FE 6A 70 D7 C7 9C D2 91 D7 D0 B0 88 20 A1 C8 ..jp......... ..
> 0110: 53 42 DD 6B DB 3C 39 DC 2C DF 8A 52 C9 8B E4 0B SB.k.<9.,..R....
> 0120: AD 05 B8 81 08 0E D2 4E 83 F9 23 C8 DC F1 9A 42 .......N..#....B
> 0130: BD 44 A4 DB CB E6 64 9B 9D 53 FA F3 4E 77 99 5F .D....d..S..Nw._
> 0140: AE 0C B3 52 11 B5 6E 65 FB 2C 6E D9 49 A4 81 E2 ...R..ne.,n.I...
> 0150: 30 81 DF A0 03 02 01 11 A2 81 D7 04 81 D4 13 3B 0..............;
> 0160: BB 37 F0 B9 F9 C3 60 E0 80 DA A2 8D 0C E9 8A 34 .7....`........4
> 0170: DA E1 55 CB 4F 09 EB 36 3A F4 68 D3 90 D9 0F CD ..U.O..6:.h.....
> 0180: 0F BA 50 1C A9 5C 70 84 1B CD 43 12 33 41 8A CA ..P..\p...C.3A..
> 0190: 46 B0 21 4B 10 D7 22 5C EC D0 79 C1 0D 5E 1C 58 F.!K.."\..y..^.X
> 01A0: 64 7C 75 43 77 96 82 1F 3A AD A2 C1 C4 9B 96 5B d.uCw...:......[
> 01B0: 0D 1B DC 60 BD 76 91 69 53 DE 2F 34 CF 9E 0B EE ...`.v.iS./4....
> 01C0: 8D D9 98 E0 37 AB 8D 2F 0D 61 B5 8C 10 43 20 2B ....7../.a...C +
> 01D0: 6D 36 E1 0F 5B 23 22 8A 76 1B 55 0C 2E A1 8C D7 m6..[#".v.U.....
> 01E0: 8C 6F D2 07 2B 26 3B BF 54 74 9B 76 4A 78 2B E8 .o..+&;.Tt.vJx+.
> 01F0: 70 E3 81 08 E9 8B A3 F1 69 A3 E2 BE 1D 5B 8F 3A p.......i....[.:
> 0200: 0F 34 3D 2D 01 69 C4 FC 67 FB 13 4B F3 D9 BE 94 .4=-.i..g..K....
> 0210: 9D 24 75 92 32 13 4B 8B 18 D0 FF 3B F9 51 19 90 .$u.2.K....;.Q..
> 0220: 44 63 61 BF A0 91 9E 76 9D 42 AA 3D B3 46 64 0A Dca....v.B.=.Fd.
> 0230: 0D 19 ..
> Failed to connect to the controller: Unable to authenticate against controller at localhost.localdomain:9990: Authentication failed: all available authentication mechanisms failed:
> GSSAPI: Server rejected authentication
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2381) CS tool, review usage documentation
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2381?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8191 to WFCORE-2381:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2381 (was: WFLY-8191)
Component/s: Security
(was: Security)
> CS tool, review usage documentation
> -----------------------------------
>
> Key: WFCORE-2381
> URL: https://issues.jboss.org/browse/WFCORE-2381
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: credential-store
>
> Current usage output
> {code}
> usage: java -jar wildfly-elytron-tool.jar credential-store <sub-command>
> <options> -a <arg> | -e <arg> | -h | -r <arg> | -v [-c] [-f] [-i
> <arg>] [-l <arg>] [-p <arg>] [-s <arg>] [-t <arg>] [-u <arg>] [-x
> <arg>]
> -a,--add <arg> Add new alias to the credential store
> -c,--create Create credential store [true/false]
> -e,--exists <arg> Check if alias exists within the credential store
> -f,--summary Print summary, especially command how to create
> this credential store
> -h,--help Get help with usage of this command
> -i,--iteration <arg> Iteration count for for final masked password of
> the credential store
> -l,--location <arg> Location of credential store storage file
> -p,--password <arg> Password for credential store
> -r,--remove <arg> Remove alias from the credential store
> -s,--salt <arg> Salt to apply for final masked password of the
> credential store
> -t,--type <arg> Credential store type
> -u,--uri <arg> Configuration URI for credential store
> -v,--aliases Display all aliases
> -x,--secret <arg> Password credential value
> {code}
> IMO suffers with these issues:
> - it introduce misleading <sub-command> placeholder. It is not used now. It is prepared for future needs. Remove it please.
> - it is not obvious which options are required in conjuction with e.g. --add option
> - use GNU usage syntax. e.g. [] instead of <>
> - sometimes it will be more useful to replace <arg> with some meaningful name, e.g. --add alias
> I suggest something like
> {code}
> java -jar wildfly-elytron-tool.jar credential-store required_option [options]
> java -jar wildfly-elytron-tool.jar credential-store --add alias -u arg ... [-c] ...
> java -jar wildfly-elytron-tool.jar credential-store --remove alias -u arg [-c] ...
> ...
> One of these is required
> -a,--add alias Add new alias to the credential store
> -e,--exists alias Check if alias exists within the credential store
> -h,--help Get help with usage of this command
> -r,--remove alias Remove alias from the credential store
> -v,--aliases Display all aliases
> Options
> -c,--create Create credential store [true/false]
> -f,--summary Print summary, especially command how to create this credential store
> -i,--iteration count Iteration count for for final masked password of the credential store
> -l,--location file Location of credential store storage file
> -p,--password store_password Password for credential store
> -s,--salt arg Salt to apply for final masked password of the credential store
> -t,--type arg Credential store type
> -u,--uri arg Configuration URI for credential store
> -x,--secret value Password credential value
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2379) Synchronize XSD and DMR description of credential-store attributes
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2379?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8157 to WFCORE-2379:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2379 (was: WFLY-8157)
Component/s: Security
(was: Security)
> Synchronize XSD and DMR description of credential-store attributes
> ------------------------------------------------------------------
>
> Key: WFCORE-2379
> URL: https://issues.jboss.org/browse/WFCORE-2379
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Labels: credential-store
>
> Use XSD description in DMR description, because description in XSD is better for attributes
> * provider-name
> * providers
> * other-providers
> * relative-to
> * uri (DMR description contains wrong vault://)
> For {{type}} attribute use this description in both XSD and DMR: "The credential store type, e.g. KeyStoreCredentialStore" . Now there is mentioned wrongly KeyStorePasswordStore
> {code:xml|title=XSD}
> <xs:attribute name="type" type="xs:string" use="optional">
> <xs:annotation>
> <xs:documentation>
> The credential store type, e.g. KeyStorePasswordStore.
> </xs:documentation>
> </xs:annotation>
> </xs:attribute>
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2375) Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2375?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7481 to WFCORE-2375:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2375 (was: WFLY-7481)
Component/s: Security
(was: Security)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description.
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2375
> URL: https://issues.jboss.org/browse/WFCORE-2375
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
> Fix For: 4.0.0.Alpha1
>
>
> Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description.
> *How to reproduce*
> Prepare credential store file (the easiest way is create credential store from scratch)
> /subsystem=elytron/credential-store=cs_pass123:add(uri="cr-store://test/cs/ks-pass123.jceks?store.password=pass123;create.storage=true")
> /subsystem=elytron/credential-store=cs_pass123/alias=dbPass:add(secret-value=passwordToDB)
> Then I try to create Credential store with wrong store password to existing store file.
> /subsystem=elytron/credential-store=cs_wrong_store_pass:add(uri="cr-store://test/cs/ks-pass123.jceks?store.password=pass123wrong;key.password=pass123=true")
> *I can see this result:*
> {code}
> {
> "outcome" => "failed",
> "failure-description" => {
> "WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store-client.cs_wrong_key_pass" => "org.jboss.msc.service.StartException in service org.wildfly.security.credential-store-client.cs_wrong_key_pass: WFLYELY00004: Unable to start the service.
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09506: Cannot read credential storage file '/home/hsvabek/securityworkspace/VERIFICATION/2016_11_02_UX_testing/jboss-eap-7.1.0.DR7/standalone/data/cs/ks-pass123.jceks' for the store named 'cs_wrong_key_pass'
> Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect"},
> "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.credential-store-client.cs_wrong_key_pass"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
> },
> "rolled-back" => true
> }
> {code}
> *Suggestion for solution*
> failure-description must not contain Exception or snippet stacktrace.
> Description like that "Password to access credential store is incorrect."
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2376) There isn't possibility disable create CS file from scratch
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2376?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7920 to WFCORE-2376:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2376 (was: WFLY-7920)
Component/s: Security
(was: Security)
> There isn't possibility disable create CS file from scratch
> -----------------------------------------------------------
>
> Key: WFCORE-2376
> URL: https://issues.jboss.org/browse/WFCORE-2376
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
> Priority: Blocker
>
> There isn't possibility to disable create CS file from scratch.
> Earlier we were able to set create.storage to true/false.
> I can see problem in this scenario:
> * I want to create new CS with path to existing CS file
> * I fill wrong path
> * Everything pass
> But I want to use my CS file, not to create new one.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2377) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2377?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8295 to WFCORE-2377:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2377 (was: WFLY-8295)
Component/s: Security
(was: Security)
> Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
> ----------------------------------------------------------------------------------------
>
> Key: WFCORE-2377
> URL: https://issues.jboss.org/browse/WFCORE-2377
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: ibm-java, kerberos
>
> On IBM java when obtain-kerberos-ticket is set to true user always get
> {code}
> javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
> {code}
> According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
> This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model.
> {code}
> "path" => {
> "type" => STRING,
> "description" => "The path of the KeyTab to load to obtain the credential.",
> "attribute-group" => "file",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> {code}
> And keytab is always set into Kerberos login module options
> {code:title=GSSCredentialSecurityFactory.java}
> if (IS_IBM) {
> options.put("noAddress", "true");
> options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
> options.put("useKeytab", keyTab.toURI().toURL().toString());
> }
> {code}
> [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.sec...
> I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months