[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] R Stokoe updated AS7-4577: -------------------------- Summary: Management console security does not work if security-realm name is not "ManagementRealm" (was: Management console ssl does not work if security-realm name is not "ManagementRealm") Workaround Description: (was: use: <security-realm name="ManagementRealm"> <server-identities> <ssl>... ) Workaround: (was: Workaround Exists) Description: Configuring management console security only works if security-realm name is "ManagementRealm". If any other name is used, authentication repeatedly silently fails. This makes it impossible to configure the native and http management interfaces differently. For example ssl only for http-interface. was:Configuring management console to use https only works if security-realm name is "ManagementRealm". If any other name is used, authentication repeatedly silently fails. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated AS7-4577: ---------------------------------- Fix Version/s: 7.1.2.Final-redhat1 Priority: Critical (was: Major) Could you please attach a full descriptor for your config - please feel free to remove your keystore passwords. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] R Stokoe commented on AS7-4577: ------------------------------- 1) Did you try to reproduce using the steps I listed? 2) Some of my problems may have been due to wrong realm name in mgmt-users.properties but I did manage to get past those issues. As an asside, one of the problems i had was that jboss.server.base.dir is ignored by add-user. It still writes to $JBOSS_HOME/standalone/configuration/mgmt-users.properties and $JBOSS_HOME/domain/configuration/mgmt-users.properties. Do you know if there is yet an issue on that? 3) Here is a rundown of 2 tests I ran that demonstrate the problem. The only change between the 2 tests was to switch the names of the 2 security realms used by the 2 management interfaces. In both cases the interface using ManagementRealm worked and the other didn't. mgmt-users.properties file was not changed between tests and contains the following users: # Realm: ManagementRealm user0=ea846d5c7e07c894095fa11df2010051 # Realm: ManagementRealm1 user1=a7002f5cac0db99fcb695838263d3caf # Realm: ManagementRealm2 user2=6024ee0d490bb0c53edcddca36cca9d3 jboss command: java -D[Standalone] -server -XX:+TieredCompilation -Xmx384m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Djboss.server.default.config=standalone-full.xml -Djboss.socket.binding.port-offset=300 -Djboss.socket.binding.port-offset=300 -Dorg.jboss.boot.log.file=/usr/jboss/jboss-as-7.1.1.Final/server/D4/log/boot.log -Dlogging.configuration=file:/usr/jboss/jboss-as-7.1.1.Final/server/D4/configuration/logging.properties -jar /usr/jboss/jboss-as-7.1.1.Final/jboss-modules.jar -mp /usr/jboss/jboss-as-7.1.1.Final/modules -jaxpmodule javax.xml.jaxp-provider org.jboss.as.standalone -Djboss.home.dir=/usr/jboss/jboss-as-7.1.1.Final -Djboss.server.base.dir=/usr/jboss/jboss-as-7.1.1.Final/server/D4 Note the following properties: -Djboss.socket.binding.port-offset=300 -Djboss.server.base.dir=/usr/jboss/jboss-as-7.1.1.Final/server/D4 #################################################################################################### test 1 management portion of configuration: <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ManagementRealm1"> <server-identities> <ssl> <keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/> </ssl> </server-identities> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm1"> <socket-binding https="management-https"/> </http-interface> </management-interfaces> </management> . . . <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/> . . . results: interface port user works? --------- ---- ---- ------ native 10299 user0 yes https 97430 user1 no #################################################################################################### Test 2 (security-realm names were switched) config: <management> <security-realms> <security-realm name="ManagementRealm1"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/> </ssl> </server-identities> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm1"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding https="management-https"/> </http-interface> </management-interfaces> </management> . . . <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/> . . . results: interface port user works? --------- ---- ---- ------ native 10299 user1 no https 97430 user0 yes #################################################################################################### Test 3 Here is a diff between test 2 and 3: < <http-interface security-realm="ManagementRealm"> < <socket-binding https="management-https"/> --- configuration: <management> <security-realms> <security-realm name="ManagementRealm1"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/> </ssl> </server-identities> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm1"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm1"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> </management> . . . <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/> . . . results: interface port user works? --------- ---- ---- ------ native 10299 user1 no http 10290 user1 no -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse commented on AS7-4577: --------------------------------------- {quote}1) Did you try to reproduce using the steps I listed?{quote} I have now, however we are in the final stages leading to our next tag so for issues that need investigating quickly having as much information in the issue as possible is appreciated. I have my set up with two realms ManagementRealm and ManaementRealm1 and a user in the properties for each realm - provided I use the correct use for the currently assigned realm it is working as expected. Is it possible for you to confirm the password you have used for the 3 users? I would like to double check the hashes that have been generated. {quote}2) Some of my problems may have been due to wrong realm name in mgmt-users.properties but I did manage to get past those issues. As an asside, one of the problems i had was that jboss.server.base.dir is ignored by add-user. It still writes to $JBOSS_HOME/standalone/configuration/mgmt-users.properties and $JBOSS_HOME/domain/configuration/mgmt-users.properties. Do you know if there is yet an issue on that?{quote} Yes we have just recently had a few changes come in to look after location overrides. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] R Stokoe commented on AS7-4577: ------------------------------- all 3 user's passwords are "password". I will retest to make sure i was entering the correct password in each case. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] R Stokoe commented on AS7-4577: ------------------------------- You will find that they are not correct. I had ManagementRealm for the realm on all 3 users. I have fixed that and now verified that I was wrong about the security realm needing to be ManagementRealm. I'm sorry for the inconvenience. This is not a bug. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse commented on AS7-4577: --------------------------------------- {quote} I'm sorry for the inconvenience. {quote} No problem at all, glad we got to the bottom of the issue. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira