Keystore/Truststore configuration in standalone.xml not working
haukeh Apr 10, 2014 5:06 AMHello everyone,
I am trying to secure my application on Wildfly 8.0 with LDAP authentication. I am using the LdapLoginModule in a security domain and I have declared a new security realm with the SSL configuration as explained in LDAP Security Realm Examples.
The relevant parts of my standalone.xml are looking as follows:
.... <security-realm name="LdapSSLRealm"> <server-identities> <ssl> <keystore path="wildfly.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword"/> </ssl> </server-identities> <authentication> <truststore path="wildfly-ts.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword"/> <jaas name="MyLdapSecurityDomain"/> </authentication> </security-realm> ...
<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="MyLdapSecurityDomain" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldaps://ds.mycompany.de"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="principalDNPrefix" value="uid="/> <module-option name="principalDNSuffix" value=",ou=people,dc=mycompany,dc=de"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:2.0"> <endpoint worker="default"/> <http-connector name="http-remoting-connector" connector-ref="default" security-realm="LdapSSLRealm"/> </subsystem>
In the jboss-web.xml I have the following configuration:
<jboss-web> <context-root>/</context-root> <security-domain>MyLdapSecurityDomain</security-domain> </jboss-web>
And web.xml contains, amongst other stuff, this:
<login-config> <auth-method>BASIC</auth-method> <realm-name>LdapSSLRealm</realm-name> </login-config>
So when I try to log in now, I get this beautiful exception:
DEBUG [org.jboss.security] (default task-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]
After a VERY long time of investigation, I found out that this has nothing to do with the password whatsoever. The problem is, that the keystore/truststore configured in the standalone.xml does not get picked up and so the certficate of the LDAP Server is unknown. What I then tried, was simply adding the keystore information as a system property to the standalone.sh script:
./standalone.sh -Djavax.net.ssl.trustStore=/path/to/server.truststore -Djavax.net.ssl.trustStorePassword=mypassword
This did the trick and the LDAP connection was successful. So now I am wondering if my configuration in standalone.xml is somehow wrong, or if this is maybe a bug? I would really appreciate your input, as providing the trustStore parameters is am ok-ish solution but I am really interested why the "standard" way is not working.
Kind regards,
Hauke