1 Reply Latest reply on Apr 10, 2014 9:02 AM by dlofthouse

    Keystore/Truststore configuration in standalone.xml not working

    haukeh
    haukeh Apr 10, 2014 5:06 AM

      Hello everyone,

       

      I am trying to secure my application on Wildfly 8.0 with LDAP authentication. I am using the LdapLoginModule in a security domain and I have declared a new security realm with the SSL configuration as explained in LDAP Security Realm Examples.


      The relevant parts of my standalone.xml are looking as follows:  


      ....
<security-realm name="LdapSSLRealm">
  <server-identities>
    <ssl>
      <keystore path="wildfly.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword"/>
    </ssl>
  </server-identities>
  <authentication>
    <truststore path="wildfly-ts.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword"/>
    <jaas name="MyLdapSecurityDomain"/>
  </authentication>
</security-realm>
...

       

      <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                <security-domain name="MyLdapSecurityDomain" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldaps://ds.mycompany.de"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="principalDNPrefix" value="uid="/>
                            <module-option name="principalDNSuffix" value=",ou=people,dc=mycompany,dc=de"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>
 </subsystem>

       

             <subsystem xmlns="urn:jboss:domain:remoting:2.0">
            <endpoint worker="default"/>
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="LdapSSLRealm"/>
        </subsystem>

       

      In the jboss-web.xml I have the following configuration:

       

      <jboss-web>
    <context-root>/</context-root>
    <security-domain>MyLdapSecurityDomain</security-domain>
</jboss-web>

       

      And web.xml contains, amongst other stuff, this:

       

         <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>LdapSSLRealm</realm-name>
    </login-config>

       

      So when I try to log in now, I get this beautiful exception:

       

      DEBUG [org.jboss.security] (default task-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
  at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]

       

      After a VERY long time of investigation, I found out that this has nothing to do with the password whatsoever. The problem is, that the keystore/truststore configured in the standalone.xml does not get picked up and so the certficate of the LDAP Server is unknown. What I then tried, was simply adding the keystore information as a system property to the standalone.sh script:

       

      ./standalone.sh -Djavax.net.ssl.trustStore=/path/to/server.truststore -Djavax.net.ssl.trustStorePassword=mypassword

       

      This did the trick and the LDAP connection was successful. So now I am wondering if my configuration in standalone.xml is somehow wrong, or if this is maybe a bug? I would really appreciate your input, as providing the trustStore parameters is am ok-ish solution but I am really interested why the "standard" way is not working.

       

      Kind regards,

      Hauke

        • 1. Re: Keystore/Truststore configuration in standalone.xml not working
          dlofthouse
          dlofthouse Apr 10, 2014 9:02 AM (in response to haukeh)

          It depends what you are trying to achieve here, from reading your description I am not sure if you are mixing together a few similar but competing concepts which may be why you are not getting the results you require.

           

          The SSL portion of the LdapSSLRealm you have defined is actually unlikely to be used based on your configuration, you have referenced it in your Remoting configuration but as it is HTTP remoting it will rely on the SSL settings for Undertow.

           

          Within the login-config section of your web.xml this is not a reference to the security realm defintion, this is just a name that can be presented to the remote user with the challenge.

           

          The login module that you are using is the original LDAP login module for LDAP authentication, I don't have the source to hand to double check at the moment but I don't believe that has any special support for SSL other than using the system properties you have already listed.

           

          One option you could have is to move all of the LDAP authentication configuration into the security realms, that way it would be possible to  use an outbound LDAP connection that references a security realm to obtain it's SSL settings, from the security domain you could then use the RealmDirectLoginModule to delegate all authentication to the realm.

            • Actions