7 Replies Latest reply on Feb 17, 2012 10:20 PM by iran1314

JBoss 7.1: Connect to a secured domain manager

klaus_erber Jan 10, 2012 4:39 AM

Hello,

i have problems to get the domain operating mode working.

JBoss version 7.1CR1b

Master (ip 10.0.0.10) and slave (ip 10.0.0.11) are on to different virtual mashines.

Configuration master (host.xml):

<host name="master" xmlns="urn:jboss:domain:1.1">

    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.http.port:9990}"/>
            </http-interface>
        </management-interfaces>
    </management>

    <domain-controller>
       <local/>
    </domain-controller>

    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:10.0.0.10}"/>
        </interface>
        <interface name="public">
           <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>

     <jvms>
        <jvm name="default">
          <heap size="64m" max-size="256m"/>
       </jvm>
     </jvms>

    <servers>
    </servers>
</host>

User in mgmt-users.properties:

node01=6cecc294214c4ec26082562e1db62c97

Configuration slave (host.xml):

<host name="node01" xmlns="urn:jboss:domain:1.1">
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
            </security-realm>
            <security-realm name="ServerRealm">
                <server-identities>
                    <secret value="6cecc294214c4ec26082562e1db62c97" />
                </server-identities>
            </security-realm>
         </security-realms>
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
        </management-interfaces>
    </management>

    <domain-controller>
       <remote host="10.0.0.10" port="9999" security-realm="ServerRealm"/>
    </domain-controller>

    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:10.0.0.11}"/>
        </interface>
        <interface name="public">
           <inet-address value="${jboss.bind.address:0.0.0.0}"/>
        </interface>
    </interfaces>

     <jvms>
        <jvm name="default">
          <heap size="64m" max-size="256m"/>
       </jvm>
     </jvms>

    <servers>
        <server name="server-one" group="main-server-group">
        </server>
    </servers>
</host>

The start of the master works fine.

The start of the slave failed:

11:16:23,406 INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
11:16:23,593 INFO  [org.jboss.as.process.Host Controller.status] (main) JBAS012017: Starting process 'Host Controller'
[Host Controller] 11:16:23,891 INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
[Host Controller] 11:16:24,307 INFO  [org.jboss.msc] (main) JBoss MSC version 1.0.1.GA
[Host Controller] 11:16:24,398 INFO  [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" starting
[Host Controller] 11:16:25,208 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) Operation ("validate-authentication") failed - address: ([
[Host Controller]     ("host" => "node01"),
[Host Controller]     ("core-service" => "management"),
[Host Controller]     ("security-realm" => "ServerRealm")
[Host Controller] ]) - failure description: "JBAS015245: No authentication mechanism defined in security realm 'ServerRealm'."
[Host Controller] 11:16:25,227 INFO  [org.jboss.as] (Controller Boot Thread) JBoss AS (Host Controller) 7.1.0.CR1b "Flux Capacitor" started in 1548ms - Started 9 of 9 services (0 services are passive or on-demand)
[Host Controller] 11:16:25,243 INFO  [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" stopped in 5ms
[Host Controller] 11:16:25,235 ERROR [org.jboss.as.controller] (Controller Boot Thread) JBAS014601: Error booting the container: java.lang.IllegalArgumentException: Name segment is null
[Host Controller]       at org.jboss.msc.service.ServiceName.of(ServiceName.java:82) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
[Host Controller]       at org.jboss.msc.service.ServiceName.append(ServiceName.java:112) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
[Host Controller]       at org.jboss.as.host.controller.ServerInventoryService.install(ServerInventoryService.java:80) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
[Host Controller]       at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:307) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
[Host Controller]       at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
[Host Controller]       at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
[Host Controller]

Can you help me? I think there is something wrong with the server-identities part of the the slave configuration.

regards

Klaus

Please have a look at the attached trace log of the master node. In particular this part:

12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) A2: AUTHENTICATE:remote/clustermanager.localdomain
12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58
12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(l�”!LN�`�V. �,�) = 6cecc294214c4ec26082562e1db62c97
12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(A1): 7ca2b986315220da327a62d5acc28170
12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) KD: 7ca2b986315220da327a62d5acc28170:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58
12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) response-value: 0ba01b0f27322ec7f62276ea7fa8c8b7
12:04:06,868 TRACE [org.jboss.remoting.remote.server] (Remoting "master:MANAGEMENT" task-4) Server sending authentication rejected (javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response.)

there is something wrong with the password compare.

Similar on the slave:

12:04:07,608 TRACE [org.jboss.modules] (Remoting "endpoint" task-2) Defined class org.jboss.sasl.util.Charsets in Module "org.jboss.sasl:main" from local module loader @16aeea66 (roots: /opt/jboss-as/modules)
12:04:07,611 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) A2: AUTHENTICATE:remote/clustermanager.localdomain
12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58
12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(ï¿½ {@4@ï¿½}3/v  c |) = 86017b403440e17d332f76110563087c
12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(A1): 73b5c10e8ab7827b6c59e8e4fc111c64
12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) KD: 73b5c10e8ab7827b6c59e8e4fc111c64:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58
12:04:07,618 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) response-value: c23013459d9c939aca4029c8485d5ae0
12:04:07,618 TRACE [org.jboss.remoting.remote.client] (Remoting "endpoint" task-2) Client sending authentication response
12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepting java.nio.HeapByteBuffer[pos=0 lim=278 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]
12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepted a message into java.nio.HeapByteBuffer[pos=282 lim=8196 cap=8196]

greetings

Klaus

Change by Klaus Erber

Here comes a working configuration:

Master host.xml:

<host name="master" xmlns="urn:jboss:domain:1.1">

    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
            </security-realm>
        </security-realms>        
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket interface="management" port="${jboss.management.http.port:9990}"/>
            </http-interface>
        </management-interfaces>
    </management>

    <domain-controller>
       <local/>
    </domain-controller>

    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:10.0.0.10}"/>
        </interface>
        <interface name="public">
           <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>

     <jvms>
        <jvm name="default">
          <heap size="64m" max-size="256m"/>
       </jvm>
     </jvms>

    <servers>
    </servers>
</host>

User in mgmt-users.properties (created with add-user.sh script in ManagementRealm, password is 'laBadmin.6'):

node01=d0114fbcb7421cb836ae551cf054d5a7

Slave host.xml:

<host name="node01" xmlns="urn:jboss:domain:1.1">
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
                <server-identities>
                    <secret value="bGFCYWRtaW4uNg==" />
                </server-identities>                
            </security-realm>
        </security-realms>
        <management-interfaces>
            <native-interface>
                <socket interface="management" port="${jboss.management.native.port:9999}"/>
            </native-interface>
        </management-interfaces>
    </management>

    <domain-controller>
       <remote host="10.0.0.10" port="9999" security-realm="ManagementRealm" />
    </domain-controller>

    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:10.0.0.11}"/>
        </interface>
        <interface name="public">
           <inet-address value="${jboss.bind.address:0.0.0.0}"/>
        </interface>
    </interfaces>

     <jvms>
        <jvm name="default">
          <heap size="64m" max-size="256m"/>
       </jvm>
     </jvms>

    <servers>
        <server name="server-one" group="main-server-group">
        </server>
    </servers>
</host>

Note the value of the secret, it is the base64 encoded password 'laBadmin.6'.

You can do that on http://www.motobit.com/util/base64-decoder-encoder.asp

Changed by Klaus Erber

bootlog_part_master.trace.log.zip 3.1 KB
bootlog_part_slave.trace.log.zip 78.9 KB

1. Re: JBoss 7.1: Connect to a secured domain manager

jaikiran Jan 5, 2012 2:12 AM (in response to klaus_erber)

Moved to JBoss AS7 forum.
Actions
2. Re: JBoss 7.1: Connect to a secured domain manager

klaus_erber Jan 9, 2012 9:48 AM (in response to klaus_erber)

ok, the problem is solved.

The authentication tag is needed, so i use only 'ManagementRealm', not 'ServerRealm' and put the 'server-identities' tag to that realm.

The secret on the slave side have to be the plain password base64 encoded and not the pre digested one on the master side.

greetings
Klaus
Actions
3. Re: JBoss 7.1: Connect to a secured domain manager

smtrax Jan 9, 2012 10:00 AM (in response to jaikiran)

I have tha same problem.

Could someone help us.
Actions
4. Re: JBoss 7.1: Connect to a secured domain manager

rafaelcba Jan 17, 2012 2:29 PM (in response to klaus_erber)

Nice!

Thanks a lot for document this procedure.

Do you know if this is already documented in AS7 doc's page?

Regards.
Actions
5. Re: JBoss 7.1: Connect to a secured domain manager

iran1314 Feb 16, 2012 9:55 PM (in response to klaus_erber)

Dear Klaus Erber

I am fllow a document to setup a domain manager
but it is fail when a start the 'slave'to connet the domain manager

i have try to use jboss 7.1.0 final

can you get me some help?

the error is :
JBAS010900:Could not connect to remote domain controller 192.168.10.131:9999
\

thx a lot!
Actions
6. Re: JBoss 7.1: Connect to a secured domain manager

dlofthouse Feb 17, 2012 5:30 AM (in response to iran1314)

Iran,

I would suggest that rather than this becomming a long running thread you start a discussion to describe your own set up and show the following files: -

Master host.xml
Master mgmt-users.properties
Slave host.xml

(At this stage make sure you are only using test users and not real passwords - the values can then be compared)

Also is that the only error you see reported? Initially it does look as though the slave can not connect to that port - can you see if you use telnet to verify if it is possible to at least reach that port from the slave?
Actions
7. Re: JBoss 7.1: Connect to a secured domain manager

iran1314 Feb 17, 2012 10:20 PM (in response to dlofthouse)

Dears,
I create a discussion

https://community.jboss.org/thread/195464
Actions

Go to original post