13 Replies Latest reply on Mar 26, 2014 10:20 AM by pathduck

    4.10 - Now SSL to AS7 by default, why was this decided?

    pathduck

      Hey,

      just had a go at importing a couple AS7 servers into RHQ 4.10.

       

      Apparently the AS7 plugin now discovers and sets the port for the server to the secure port 9443 (+offset) instead of regular http 9990. This causes a lot of extra steps for us since:

      - SSL needs a lot more configuration to work, keystore, truststore, password etc etc.

      - We don't need it in our environment, and if we would it would be our decision to make.

      - If we want to change to SSL now for all Jboss AS7 we now need to change the port manually on all servers, as well as configure all the SSL settings, or do a complete uninventory of all servers, import and still have to configure all settings.

      - We could set it to "Trust any" and "Skip" hostname verification, but that would kind of defeat the purpose.

       

      Any idea why this was made the default, and if there is any plugin setting to override the default behaviour?

       

      thanks,

      Stian

        • 1. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
          pilhuhn

          Hey Stian,

           

          I think Thomas S. already somewhat answered this in a BZ comment.

           

          The main reason is that in newer versions (especially EAP), http management port is disabled by default. So without https support, the user needs to first edit the standalone.conf file in order to import the server. Unfortunately this is nothing we can easily detect and report in the UI with the current RHQ architecture.

           

          There are a few ways to attack this:

          * have a listener in the server + some preferences to say "always prefer http"

          * have a way to enable the http port via some sort of operation (chicken/egg issue, as operations run on resources in inventory)

          * Implement 2-phase-discovery, where the user can select the http port in the discovery queue

          • 2. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
            pathduck

            Hello Heiko,

            thanks for the reply.

             

            I understand that plain http management is disabled in EAP/Wildfly so it's "kind of" understandable that this change needs to come. And hopefully it's not that much work to change it in RHQ on our side to use HTTPS for new discovered servers. We want it to be consistent for all AS7 servers so we will have to use groups to set this I guess.

             

            However, a couple of questions:

            - I understand this is the connection from Agent > Jboss, correct? So this I assume goes over 'localhost' and the loopback interface. I don't really understand the reason why its necessary to have encryption here if it's loopback interface.

            - The above assumption means this is not the connection RHQ Server > Agent which is encrypted and this is (IMO) more important to encrypt as management passwords are sent in clear text Server > Agent. But this is another matter of configuring SSL between server and agent.

            - Since this is Agent > Jboss connection, the truststore specified should be the *local* file on each JBoss server, not a keystore on the RHQ server, if I understand correctly?

             

            Also, since what version of AS/EAP is http management disabled? Since I have the release of EAP 6.2 and looking at standalone.xml it looks like only http-management is enabled:

             

                <management-interfaces>
                    <native-interface security-realm="ManagementRealm">
                        <socket-binding native="management-native"/>
                    </native-interface>
                    <http-interface security-realm="ManagementRealm">
                        <socket-binding http="management-http"/>
                    </http-interface>
                </management-interfaces>
            • 3. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
              pathduck

              It also looks like hostname verification always must be set to False, since it gets Hostname from from the bind address, i.e. 0.0.0.0, and then uses that to try to verify the certficate. Obviously no-one has 0.0.0.0 as their Common Name, however, most/many have probably bound the mangement interface to 0.0.0.0 (or 127.0.0.1).

              • 4. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                tsegismont

                Stian Lund a écrit:

                 

                It also looks like hostname verification always must be set to False, since it gets Hostname from from the bind address, i.e. 0.0.0.0, and then uses that to try to verify the certficate. Obviously no-one has 0.0.0.0 as their Common Name, however, most/many have probably bound the mangement interface to 0.0.0.0 (or 127.0.0.1).

                I don't get it, which hostname verification parameter are you talking about? In AS7 servers plugin config properties, hostname verification can take one of the following values:

                • Strict
                • Browser-compatible
                • Skip

                 

                These values indicate how the agent will compare the certificate CN with the remote host.

                • 5. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                  pathduck

                  Thomas Segismont wrote:

                  I don't get it, which hostname verification parameter are you talking about? In AS7 servers plugin config properties, hostname verification can take one of the following values:

                  • Strict
                  • Browser-compatible
                  • Skip

                   

                  These values indicate how the agent will compare the certificate CN with the remote host.

                   

                  Sorry for being unclear Thomas, what I meant was, it looks like we need to use "Skip" to have it working at all. The others fail.

                   

                  I am not sure yet why Strict fails, since we have the CN matching the host name where the agent is running, and the certificate is signed by a CA which is in the truststore specified. I do have a nagging suspicion it tries to match the bind address (0.0.0.0) of Jboss, with the hostname in the certificate. Default we set all jboss.server.management.address values to 0.0.0.0 and I guess the agent thinks this is the hostname? I might be wrong here.

                   

                  I've tried looking in the logs to figure why it fails but it does not log anything. I might do a trace of javax.ssl to see why it fails once I get the time.

                  • 6. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                    tsegismont
                    I am not sure yet why Strict fails, since we have the CN matching the host name where the agent is running, and the certificate is signed by a CA which is in the truststore specified. I do have a nagging suspicion it tries to match the bind address (0.0.0.0) of Jboss, with the hostname in the certificate. Default we set all jboss.server.management.address values to 0.0.0.0 and I guess the agent thinks this is the hostname? I might be wrong here.

                     

                    The CN needs to match the value of "hostname" in the server config properties, because it's the value of the "hostname" property which is used to build the https management URL.

                    • 7. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                      pathduck

                      The CN needs to match the value of "hostname" in the server config properties, because it's the value of the "hostname" property which is used to build the https management URL.

                       

                      Ok - I am not sure where this is actually set, and when you say server, do you mean the RHQ Server, not the AS7 Jboss?

                       

                      For Jboss we use:

                      jboss.bind.address.management=0.0.0.0

                       

                      The default is

                      jboss.bind.address.management=127.0.0.1

                       

                      None of these match the CN of the host obviously.

                       

                      The SSL client in this context is the Agent and it needs to trust the certificate of the RHQ Server, or do you mean the cert of the JBoss server? I was assuming the connection would be RHQ Agent -> JBoss AS7.

                       

                      I am not all that good with SSL, but I know the basics. In my experience the genereal lack of knowledge about how to set up SSL to work is a big issue as certainly a lot of those who work in operations have very little knowledge here. I suspect you will get a lot more questions after this change

                      • 8. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                        tsegismont

                        I was talking about the "hostname" property in the AS7 resource connection settings page.

                        • 9. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                          pathduck

                          Ok, so I have the following with Hostname verification enabled.

                           

                          Does not work (the default):

                          RHQ1.png

                           

                          Works but I have to manually set it for all servers:

                          RHQ2.png

                          We have up to a hundred AS7 definied in RHQ so this would be a lot of work to enable SSL individually for each server.

                           

                          These are the SSL truststore settings:

                          RHQ3.png

                          I have selected Skip here because it's the only way I can make it work.

                          • 10. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                            tsegismont

                            If your servers already in inventory ended with the "Secure" connection setting set to true when you upgraded to 4.10, that's a bug. But I don't think it happened, did it?

                             

                            Now for new servers in the discovery queue, yes, if they have a configured https interface you have no other choice than manually updating the truststore location/type ... etc

                             

                            In your case, the "hostname" connection setting is likely discovered by looking at this standalone XML node: /server/interfaces/interface[@name="https"]/inet-address . The value must be something like: ${jboss.bind.address.management:localhost}. That's be best we can do currently to chose an initial value for the "hostname" property.

                            1 of 1 people found this helpful
                            • 11. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                              pathduck

                              Thanks Thomas,

                              that clears it up a bit - you are right about the already inventoried servers, they are OK.

                              Just new ones are SSL by default.

                               

                              I have no problem updating the truststore/password etc, since these are basically the same for every single Jboss server. The problem is that for SSL i also have to set the hostname for every host. Probably I can use the "group" of AS7 on each host to set it for all servers. But the port is also an issue and has to be individually set.

                               

                               

                              In Jboss AS7 standalone.xml I have:

                               

                                  <interface name="management">
                                      <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
                                  </interface>

                               

                              This is basically the default, and then we set jboss.bind.address.mangement as a JVM property in standalone.conf to 0.0.0.0.

                               

                              Is there no way to have the agent use its own hostname to then verify the SSL cert? Because logically, an agent would always run on the same machine as the AS.

                              Then hostname verification would not fail with 0.0.0.0 or 127.0.0.1.

                               

                              Agents also have the property "Agent Bind Address" but this is usually the IP so it would also fail comparing the CN.

                              • 12. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                                tsegismont

                                Stian Lund a écrit:

                                Is there no way to have the agent use its own hostname to then verify the SSL cert? Because logically, an agent would always run on the same machine as the AS.

                                Then hostname verification would not fail with 0.0.0.0 or 127.0.0.1.

                                No there isn't... When we will implement two-phase discovery, you'll be able to adjust the "hostname" connection setting before the resource goes in the inventory.

                                • 13. Re: 4.10 - Now SSL to AS7 by default, why was this decided?
                                  pathduck

                                  Ok - I think I'll have to live with using "Skip" and possibly just using http until then