1 Reply Latest reply on Jul 2, 2013 4:43 AM by dlofthouse

    ManagementRealm SSL error: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

    pickledradish
    pickledradish Jul 1, 2013 6:35 PM

      I'm running EAP 6.1.0 in domain mode on RHEL6.

       

      I'm trying to configure the native interface on port 9999 on the domain controller to use SSL.  Eventually I'd like to use the certificates for authentication between the domain controller and host controllers, but for now I'm simply trying to get the SSL handshake to work.

       

      I'm using a self-signed certificate for now.

       

      I have the following configuration in host.xml on the domain controller:

       

       <security-realm name="ManagementRealm">
     <authentication>
         <local default-user="$local" />
         <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
     </authentication>
     <server-identities>
         <ssl>
             <keystore alias="certificate" path="/path/to/keystores/certificate.keystore" keystore-password="mypassword"/>
         </ssl>
     </server-identities>
 </security-realm>
<security-realm name="LDAPRealm">
    <authentication>
        ...
    </authentication>
    <server-identities>
        <ssl>
            <keystore alias="certificate" path="/path/to/keystores/certificate.keystore" keystore-password="mypassword"/>
        </ssl>
    </server-identities>
</security-realm>
...

<management-interfaces>
    <native-interface security-realm="ManagementRealm">
        <socket interface="management" port="${jboss.management.native.port:9999}"/>
    </native-interface>
    <http-interface security-realm="LDAPRealm">
        <socket interface="management" secure-port="9443"/>
    </http-interface>
</management-interfaces>

       

      When I connect to the http interface on 9443, I can connect over SSL and verify that the certificate is the self-signed certificate I created.

       

      When the host controller connects to the native interface, I get the following error on the DC:

      [Host Controller] 15:09:22,086 ERROR [org.jboss.remoting.remote.connection] (Remoting "master-host:MANAGEMENT" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

       

      On the host controller, I get the error:

      [Host Controller] 15:09:22,120 ERROR [org.jboss.remoting.remote.connection] (Remoting "slave-host:MANAGEMENT" read-1) JBREM000200: Remote connection failed: java.io.IOException: JBREM000202: Abrupt close on Remoting connection 0a514771 to master-host/<ip_snipped>:9999

       

      I tried to configure the ManagementRealm on the host controller with a self-signed certificate and adding that certificate as a trusted certificate to the keystore on the domain controller, but I get the same result.

       

      From what I've read, this would seem to indicate a problem with the certificate, but in that case I don't understand why the certificate works in the other security realm.

       

      Am I missing something?

        • 1. Re: ManagementRealm SSL error: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
          dlofthouse
          dlofthouse Jul 2, 2013 4:43 AM (in response to pickledradish)

          As you are using self signed certificates on the slave host controller you require a truststore that contains the certificate of the master domain controller, this trust store then needs to be defined on a security realm that is referenced on the element defining the remote connection to the master domain controller.

           

          When you tested with your web browser the browser was able to give you a prompt to manually verify the certificate of the server you were connecting to, for a slave domain controller this is not possible so it needs the certificate to be already present in a local trust store.

            • Actions