Domain-Slave certificate-based authentication
kclair-rei Apr 25, 2013 3:27 PMI am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4) in domain mode. The domain controller and slaves are running on separate servers.
I'm trying to set up authentication through SSL certificates only between my domain controller and slaves, but then authentication is not working. I am using the self-signed certificates created by keytool.
On the domain controller, I have the following keystores and keystore content:
# /usr/java/jdk7/bin/keytool -list -keystore domain_controller.keystore.jks Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry master, Apr 24, 2013, PrivateKeyEntry, Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5 # /usr/java/jdk7/bin/keytool -list -keystore truststore.keystore.jks Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries master, Apr 24, 2013, trustedCertEntry, Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5 slave1, Apr 24, 2013, trustedCertEntry, Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10
And the following in host.xml:
<security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore alias="master" path="/my/path/to/domain_controller.keystore.jks" keystore-password="keystorepass"/> </ssl> </server-identities> <authentication> <truststore path="/my/path/to/truststore.keystore.jks" password="truststorepass"/> </authentication> </security-realm> ... <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface>
The domain controller and management interface on port 9999 start fine.
On the slave, I have the identical truststore as on the master (containing both certs), and I have the following keystore and content:
# /usr/java/jdk7/bin/keytool -list -keystore as.keystore.jks Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry slave1, Apr 24, 2013, PrivateKeyEntry, Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10
And the following configuration in host.xml:
<security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore alias="slave1" path="/path/to/my/as.keystore.jks" keystore-password="keystorepass"/> </ssl> </server-identities> <authentication> <truststore path="/path/to/my/truststore.keystore.jks" password="truststorepass"/> </authentication> </security-realm> ... <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> </management-interfaces> ... <domain-controller> <remote host="master" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/> </domain-controller>
The slave is able to connect to port 9999 on the master, but then logs the following error:
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
So I would assume that something is not set up correctly regarding the truststore, but I am not sure what....