5 Replies Latest reply on May 14, 2013 1:03 PM by kclair-rei

    AdvertiseSecurityKey in version 1.1.1

    kclair-rei

      I am running mod_cluster version 1.1.1 with apache version 2.2 and jboss EAP 6.0 in domain mode. 

       

      I'm trying to use AdvertiseSecurityKey, but it does not seem to have any effect.   If I use the AdvertiseSecurityKey directive in the apache configuration but do not define a key in the jboss configuration, mod_cluster still finds the application server and enables all of the contexts.

       

      I saw this bug, but it looks like it should be fixed before version 1.1.1: https://issues.jboss.org/browse/MODCLUSTER-104

        • 1. Re: AdvertiseSecurityKey in version 1.1.1
          mbabacek

          Dear Kristina, perhaps, you might have misunderstood the purpose of this attribute. What would you like to use it for?

          The behavior you described is indeed expected.

          • 2. Re: AdvertiseSecurityKey in version 1.1.1
            kclair-rei

            No doubt I am confused!  I had trouble figuring out exactly what the feature was supposed to do based on the documentation.

             

            I had assumed that if it was defined in the apache module then any application server would need to provide the same key in order to be added to the cluster.

             

            I'm unclear if this.config.getAdvertiseSecurityKey(); in your code reference is referring to the apache config or the application server config.

             

            Also, I don't know if it matters, but your code reference is for version 1.2, but we're running 1.1.

            • 3. Re: AdvertiseSecurityKey in version 1.1.1
              rhusar

              The HTTPd advertisements are verified on the AS node. For the AS node to verify it, it needs to know what the security key actually is. When not set, this check is not performed. This prevents AS nodes from responding (and registering) to spoofy advertisements. So for the functionality to work, you need to configure this on both AS and HTTPd nodes.

               

              Note that it is the AS node that actually connects to the LB and configures it.

              • 4. Re: AdvertiseSecurityKey in version 1.1.1
                rhusar

                Kristina, I have filed an issue to fix this https://issues.jboss.org/browse/MODCLUSTER-337 and require digest checking if its set only on the HTTPd side too.

                1 of 1 people found this helpful
                • 5. Re: AdvertiseSecurityKey in version 1.1.1
                  kclair-rei

                  Thanks!

                   

                  So in the meantime, if I want to prevent unwanted nodes from joining the cluster, the best way to do that is to restrict access to / on the virtualhost based on IP/subnet and to enforce two-way SSL for mod_manager?