[keycloak-dev] jboss-cli access to SSL/secured mgmt port FAILs for keycloak8/wildfly17 configured with Eltyron SSL subsystem & 2-way SSL auth for MgmtUI ?
PGNet Dev
pgnet.dev at gmail.com
Sat Aug 24 17:43:37 EDT 2019
I've installed
keycloak8/wildfly17
built from sources,
egrep -i "<wildfly\.[a-z].*\.version>" /usr/local/src/keycloak/pom.xml
<wildfly.version>17.0.1.Final</wildfly.version>
<wildfly.build-tools.version>1.2.10.Final</wildfly.build-tools.version>
<wildfly.core.version>9.0.2.Final</wildfly.core.version>
<wildfly.common.version>1.5.1.Final</wildfly.common.version>
<wildfly.plugin.version>1.1.0.Final</wildfly.plugin.version>
with
java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (IcedTea 3.13.0) (build 1.8.0_222-b10 suse-lp151.333.1-x86_64)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
mvn -version
Maven home: /usr/share/java/maven
Java version: 1.8.0_222, vendor: IcedTea, runtime: /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.2.9-26.g0100738-default", arch: "amd64", family: "unix"
Following docs at
http://docs.wildfly.org/17/WildFly_Elytron_Security.html
I've installed/enabled the Elytron wildfly adapter, rm'd refs to the legacy security realm, & updated the https-listener to use Elytron's ssl-context.
At this stage, cmd-line access to the mgmt controller works as expected,
jboss-cli.sh \
--connect \
--controller=10.0.0.1:9990 \
--properties=/etc/keycloak/jboss.properties \
--user=mgmtuser \
--password=mgmtpass \
--version
JBoss Admin Command-line Interface
JBOSS_HOME: /opt/keycloak
Release: 9.0.2.Final
Product: Keycloak 8.0.0-SNAPSHOT
JAVA_HOME: /etc/alternatives/java_sdk_openjdk
java.version: 12.0.2
java.vm.vendor: Oracle Corporation
java.vm.version: 12.0.2+9-suse-lp151.40.1-x8664
os.name: Linux
os.version: 5.2.9-25.g71d4424-default
Next, I've setup 2way SSL auth for both the mgmt & admin consoles.
Checking *browser* access,
the secured WF Management console @
https://10.0.0.1:9993
WORKS, and the unsecured URL
http://10.0.0.1:9990
correctly REDIRECTS to the above https://
The secured Admin console @
https://10.0.0.1:8443/auth/admin
works. Unsecured Admin console access @
*also* (still) works. (Not sure why it's not disabled yet ...)
Now, jboss-cli access to the unsecured port,
jboss-cli.sh \
--connect \
--controller=10.0.0.1:9990 \
--properties=/etc/keycloak/jboss.properties \
--user=mgmtuser \
--password=mgmtpass \
--version
FAILs with
Failed to connect to the controller: The controller is not available at 10.0.0.1:990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://10.0.0.1:990. The connection failed: WFLYPRT0053: Could not connect to remote+http://10.0.0.1:990. The connection failed: Connection refused
There's apparently no functional redirection, as in the browser.
CLI access to the SECURED port ALSO fails,
jboss-cli.sh \
--connect \
--controller=remote+https://10.0.0.1:9993 \
-Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jks \
--properties=/etc/keycloak/jboss.properties \
--user=mgmtuser \
--password=mgmtpass \
--version
Failed to connect to the controller: The controller is not available at 10.0.0.1:9993: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+https://10.0.0.1:9993. The connection failed: WFLYPRT0053: Could not connect to remote+https://10.0.0.1:9993. The connection failed: java.nio.channels.ClosedChannelException
Reading these docs,
WildFly Client Configuration
version 17.0.0.Final, 2019-07-15T01:10:21Z
https://docs.wildfly.org/17/Client_Guide.html#Remoting_Client_Configuration
doesn't get me any further on solving the problem.
What additional elytron (other?) subsystem command 'magic' is needed to get the jboss-cli WF client working on the secured SSL port?
More information about the keycloak-dev
mailing list