5 Replies Latest reply on Mar 28, 2012 5:03 AM by karink

    enabling ssl for the communication between master and slave host controller

    karink
    karink Mar 21, 2012 1:29 PM

      Hi everybody

       

      this question is related to JBoss 7.1.1.

       

      I would like to enable ssl between master and slave host controller

       

      this is my config

      host.xml of the master

      <security-realm name="ManagementRealmNative">

                      <server-identities>

                              <ssl>

                                  <keystore path="master-jboss.jks" relative-to="jboss.domain.config.dir" password="12345"/>

                              </ssl>

                       </server-identities>

                      <authentication>

                           <truststore path="trusted.jks" relative-to="jboss.domain.config.dir" password="12345"/>

                          <properties path="mgmt-users-native.properties" relative-to="jboss.domain.config.dir"/>       

                      </authentication>

      </security-realm>

      ...

      <management-interfaces>

                  <native-interface security-realm="ManagementRealmNative" >

                      <socket interface="management" port="9999"/>

                  </native-interface>

      ...

      <domain-controller>

              <local/>

      </domain-controller>

       

      host.xml of the slave

        <security-realm name="ManagementRealmNative">

                  <server-identities>

                              <ssl>

                                  <keystore path="jboss-slave.jks" relative-to="jboss.domain.config.dir" password="12345"/>

                              </ssl>

                   </server-identities>

                  <authentication>

                      <truststore path="trusted_devmod.jks" relative-to="jboss.domain.config.dir" password="12345"/>

                  </authentication>

                     

                  </security-realm>

      ....

      <management-interfaces>

                  <native-interface security-realm="ManagementRealmNative" >

                      <socket interface="management" port="19999"/>

                  </native-interface>

      ..

      <domain-controller>

             <remote host="myip" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealmNative"/>

          </domain-controller>

       

      acutally it seems to work (with ssl), I have not debug it, but when using a slave host-controller without ssl enabled I got an error on the master host-controller claiming : Remote connection failed: javax.net.ssl.SSLHandshakeException: no cipher suites in common

       

      Can you pls. just verify my configuration if that makes sense from your point of view.

       

      In the next step I was trying to access the master host controller via using jboss-cli.bat locally on the same machine.

      This failed with the following error message on the master host controller side:

      [org.jboss.remoting.remote.connection] (Remoting "master:MANAGEMENT" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

       

      Reading this wiki text

      https://community.jboss.org/wiki/AS710Beta1-SecurityEnabledByDefault

      I thought that local clients will be handled from a security point of view in a different way (using a one time token generated by the server).

      Is this a at the moment a bug or did I misinterpret the wiki or is my config not correct

       

      Thanks for your help

      Karin

        • 1. Re: enabling ssl for the communication between master and slave host controller
          dlofthouse
          dlofthouse Mar 22, 2012 9:10 AM (in response to karink)

          Yes the configuration between the master and slave does appear to to be correct - what does your slave configuration look like when you get that error?  Are you also removing the truststore on the slave when you get that error?  If so that does sound correct as the slave can not trust the master server so the connection can not be negotiated.

           

          For the CLI scenario have you performed any configuration changes for the CLI to reach that point?  i.e. have you set any system properties on the CLI to point to a key or trust store or even used the CLI configuration file to specify these?  In general an out of the box CLI configuration should fall back to either the local mechanism or the username password authentication and prompt you to decide if you want to trust the servers certificate but if you have started to change the key and trust store configurations on the CLI that would not be the case.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: enabling ssl for the communication between master and slave host controller
            karink
            karink Mar 22, 2012 9:29 AM (in response to dlofthouse)

            Hi Darran

             

            For the CLI scenario:

            I have taken the original cli script (I did not modify anything)

             

            actually I think I just found out what the real problem is:
            I have binded my management interface against a concrete IP.

            But using the cli client for connection I used not this IP but 0.0.0.0

             

            I now just tried connect with the concrete IP and than it works (because the domain controller than recognizes that this is a local client.

             

            Regards
            Karin

              • Actions
            • 3. Re: enabling ssl for the communication between master and slave host controller
              karink
              karink Mar 27, 2012 12:51 PM (in response to dlofthouse)

              Hi Darran

               

              I think in my configuration there must be something missing.

               

              Shouldn't I insert on the master controller  which slave controller is allowed to access the master controller.

              I would suppose that I have to insert the CN of the slave controller certificate somewhere (e.g. in the mgmt-users-native.properties). It's not clear to me how the master controller verifies if this is a slave controller that has granted access.

               

              Regards Karin

                • Actions
              • 4. Re: enabling ssl for the communication between master and slave host controller
                dlofthouse
                dlofthouse Mar 28, 2012 4:52 AM (in response to karink)

                On the master you have already provided that with the truststore.

                  • Actions
                • 5. Re: enabling ssl for the communication between master and slave host controller
                  karink
                  karink Mar 28, 2012 5:03 AM (in response to dlofthouse)

                  I thought the trust store contains the issuing CA

                  So this means I should supply all public keys of all slave host controllers in the truststore of the master domain controller

                    • Actions