6 Replies Latest reply on Jun 16, 2015 11:46 AM by andrew.pomponio

    unable to connect the CLI over an https-enabled management port

    andrew.pomponio

      Hello Wildfly developers,

       

       

      I was recently working on an issue for a customer in which they wanted to have their CLI encrypted with SSL along with the management console. I’ve managed to get their management console running on https no problem, but with Wildfly 8.x, I am unable to connect the CLI to the https-enabled management port.

       

       

      Using a clean version of 7.1.3, and the following configurations, I was able to connect the CLI on 9443;

      keytool -genkey -keystore chap8.keystore -storepass rmi+ssl -keypass rmi+ssl -keyalg RSA -alias chapter8 -validity 3650 -dname "cn=chapter8 example,ou=admin book,dc=jboss,dc=org"

       

       

      ./standalone.sh -c standalone-full.xml

       

       

      ./jboss-cli.sh -c --controller=localhost:9999

       

       

      In the CLI I was able to configure the <server-identies> for ManagementRealm by specifying the SSL information.

       

      /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-password="rmi+ssl", keystore-path="chap8.keystore", keystore-relative-to="jboss.server.config.dir", alias="chapter8",protocol="TLSv1")

       

      /core-service=management/management-interface=native-interface/:write-attribute(name=socket-binding,value=management-https)

       

      I then stopped the server and started it again with the following;

      ./standalone.sh -c standalone-full.xml  -Djavax.net.debug=all

       

      ./jboss-cli.sh -c --controller=localhost:9443

       

      However, with the same configurations on a Wildfly 8.2.0 instance, I get the following when attempting to configure the native-interface under ManagementRealm in the CLI the first time;

       

      [standalone@localhost:9990 /] /core-service=management/management-interface=native-interface/:write-attribute(name=socket-binding,value=management-https)

      {

          "outcome" => "failed",

          "failure-description" => "JBAS014807: Management resource '[

          (\"core-service\" => \"management\"),

          (\"management-interface\" => \"native-interface\")

      ]' not found",

          "rolled-back" => true,

          "response-headers" => {"process-state" => "reload-required"}

      }

       

       

      So I attempted to manually configure the expected output into my standalone-full.xml fille;

      <security-realms>

              <security-realm name="ManagementRealm">

                  <server-identities>

                      <ssl protocol="TLSv1">

                          <keystore path="chap8.keystore" relative-to="jboss.server.config.dir" keystore-password="rmi+ssl" alias="chapter8"/>

                      </ssl>

                  </server-identities>

                  <authentication>

                      <local default-user="$local"/>

                      <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                  </authentication>

              </security-realm>

              <security-realm name="ApplicationRealm">

                  <authentication>

                      <local default-user="$local" allowed-users="*"/>

                      <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                  </authentication>

                  <authorization>

                      <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                  </authorization>

              </security-realm>

          </security-realms>

          <management-interfaces>

              <native-interface security-realm="ManagementRealm">

                  <socket-binding native="management-https"/>

              </native-interface>

              <http-interface security-realm="ManagementRealm">

                  <socket-binding http="management-http"/>

              </http-interface>

          </management-interfaces>

       

       

      When I go to start the server back up, I get the following;

      MacbookPro:bin apomponio$ ./standalone.sh -c standalone-full.xml  -Djavax.net.debug=all

      =========================================================================

       

       

        JBoss Bootstrap Environment

       

       

        JBOSS_HOME: /Users/andrew.pomponio/wildfly-8.2.0.Final

       

       

        JAVA: /Library/Java/JavaVirtualMachines/jdk1.8.0_11.jdk/Contents/Home//bin/java

       

       

        JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

       

       

      =========================================================================

       

       

      Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0

      10:53:12,066 INFO  [org.jboss.modules] (main) JBoss Modules version 1.3.3.Final

      10:53:12,349 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.2.Final

      10:53:12,396 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899: WildFly 8.2.0.Final "Tweek" starting

      10:53:12,765 ERROR [org.jboss.as.server] (Controller Boot Thread) JBAS015956: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: JBAS014676: Failed to parse configuration

      at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:112) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.server.ServerService.boot(ServerService.java:331) [wildfly-server-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:259) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11]

      Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[64,4]

      Message: JBAS014789: Unexpected element '{urn:jboss:domain:2.2}management-interfaces' encountered

      at org.jboss.as.controller.parsing.ParseUtils.unexpectedElement(ParseUtils.java:85) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.domain.management.parsing.ManagementXml.parseSecurityRealms(ManagementXml.java:777) [wildfly-domain-management-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.domain.management.parsing.ManagementXml.access$000(ManagementXml.java:164) [wildfly-domain-management-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.domain.management.parsing.ManagementXml$Delegate.parseSecurityRealms(ManagementXml.java:179) [wildfly-domain-management-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement_1_5(ManagementXml.java:356) [wildfly-domain-management-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.domain.management.parsing.ManagementXml.parseManagement(ManagementXml.java:292) [wildfly-domain-management-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:453) [wildfly-server-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145) [wildfly-server-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107) [wildfly-server-8.2.0.Final.jar:8.2.0.Final]

      at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

      at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) [staxmapper-1.1.0.Final.jar:1.1.0.Final]

      at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:104) [wildfly-controller-8.2.0.Final.jar:8.2.0.Final]

      ... 3 more

       

       

      10:53:12,767 FATAL [org.jboss.as.server] (Controller Boot Thread) JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.

      10:53:12,813 INFO  [org.jboss.as] (MSC service thread 1-1) JBAS015950: WildFly 8.2.0.Final "Tweek" stopped in 43ms

      MacbookPro:bin apomponio$

       

       

      I would like to verify that this functionality is even available in Wildlfly due to the changes with UnderTow and the JMX interface.

       

       

      My customer is getting the following errors when trying to configure her native-interface for JMX. After adding native-interface, neither jboss-cli.sh nor browser work any more.

       

      websrvr@n9tvap1010:~/wildfly-8.2.0.Final/bin> jboss-cli.sh --connect --controller=10.200.40.23:9997

      org.jboss.as.cli.CliInitializationException: Failed to connect to the controller

              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:278)

              at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:253)

              at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:497)

              at org.jboss.modules.Module.run(Module.java:312)

              at org.jboss.modules.Main.main(Main.java:460)

      Caused by: org.jboss.as.cli.CommandLineException: The controller is not available at 10.200.40.23:9997

              at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1028)

              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:840)

              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:819)

              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:276)

              ... 8 more

      Caused by: java.io.IOException: java.net.ConnectException: JBAS012174: Could not connect to http-remoting://10.200.40.23:9997. The connection failed

              at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:129)

              at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:71)

              at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1005)

              ... 11 more

      Caused by: java.net.ConnectException: JBAS012174: Could not connect to http-remoting://10.200.40.23:9997. The connection failed

              at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:117)

              at org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:256)

              at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70)

              at org.jboss.as.protocol.mgmt.FutureManagementChannel$Establishing.getChannel(FutureManagementChannel.java:204)

              at org.jboss.as.cli.impl.CLIModelControllerClient.getOrCreateChannel(CLIModelControllerClient.java:169)

              at org.jboss.as.cli.impl.CLIModelControllerClient$2.getChannel(CLIModelControllerClient.java:129)

              at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:117)

              at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:92)

              at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:236)

              at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:141)

              at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:127)

              ... 13 more

      Caused by: java.io.EOFException: XNIO000812: Connection closed unexpectedly

              at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:416)

              at org.xnio.http.HttpUpgrade$HttpUpgradeState.flushUpgradeChannel(HttpUpgrade.java:369)

              at org.xnio.http.HttpUpgrade$HttpUpgradeState.access$900(HttpUpgrade.java:165)

              at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:340)

              at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:320)

              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

              at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)

              at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)

              at ...asynchronous invocation...(Unknown Source)

              at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)

              at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:253)

              at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:351)

              at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:339)

              at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:78)

              at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:109)

              ... 23 more

        • 1. Re: unable to connect the CLI over an https-enabled management port
          ehugonnet

          Could you attach your xml configuration file so that we may take a look as your pasted config is missing some parts.

          • 2. Re: unable to connect the CLI over an https-enabled management port
            andrew.pomponio

            Attached.

            • 3. Re: unable to connect the CLI over an https-enabled management port
              ehugonnet

              You are using a native-interface instead of a http-interface so it won't use the correct protocol.

              • 4. Re: unable to connect the CLI over an https-enabled management port
                andrew.pomponio

                I am attempting for it to use https actually, and we are able to get http connected but not https.

                 

                I want to remove management-http port. But I can’t  run JMX client pointing to management-https port.

                 

                If I have both management-http and management-https configured, I can run JMX client pointing to management-http port:

                websrvr@n9tvap1010:~/admin/bin> ~/wildfly-8.2.0.Final/bin/jboss-cli.sh --connect --controller=10.200.40.23:19994

                [standalone@10.200.40.23:9997 /]

                 

                If I only have  management-https configured, I can’t run JMX client pointing to management-https port:

                websrvr@n9tvap1010:~/admin/bin> ~/wildfly-8.2.0.Final/bin/jboss-cli.sh --connect --controller=10.200.40.23:9997

                org.jboss.as.cli.CliInitializationException: Failed to connect to the controller

                        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:278)

                        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:253)

                        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)

                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                        at java.lang.reflect.Method.invoke(Method.java:497)

                        at org.jboss.modules.Module.run(Module.java:312)

                        at org.jboss.modules.Main.main(Main.java:460)

                Caused by: org.jboss.as.cli.CommandLineException: The controller is not available at 10.200.40.23:9997

                        at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1028)

                        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:840)

                        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:819)

                        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:276)

                        ... 8 more

                Caused by: java.io.IOException: java.net.ConnectException: JBAS012174: Could not connect to http-remoting://10.200.40.23:9997. The connection failed

                        at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:129)

                        at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:71)

                        at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1005)

                        ... 11 more

                Caused by: java.net.ConnectException: JBAS012174: Could not connect to http-remoting://10.200.40.23:9997. The connection failed

                        at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:117)

                        at org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:256)

                        at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70)

                        at org.jboss.as.protocol.mgmt.FutureManagementChannel$Establishing.getChannel(FutureManagementChannel.java:204)

                        at org.jboss.as.cli.impl.CLIModelControllerClient.getOrCreateChannel(CLIModelControllerClient.java:169)

                        at org.jboss.as.cli.impl.CLIModelControllerClient$2.getChannel(CLIModelControllerClient.java:129)

                        at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:117)

                        at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:92)

                        at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:236)

                        at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:141)

                        at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:127)

                        ... 13 more

                Caused by: java.io.EOFException: XNIO000812: Connection closed unexpectedly

                        at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:416)

                        at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:400)

                        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

                        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

                        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)

                        at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)

                        at ...asynchronous invocation...(Unknown Source)

                        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)

                        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:253)

                        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:351)

                        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:339)

                        at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:78)

                        at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:109)

                        ... 23 more

                 

                • 5. Re: unable to connect the CLI over an https-enabled management port
                  ehugonnet

                  I got it working properly with this configuration file.

                  • 6. Re: unable to connect the CLI over an https-enabled management port
                    andrew.pomponio

                    I apologize for the late response, your configuration worked perfectly and I love how it's designed to always upgrade to https! Thank you very much for your help!