0 Replies Latest reply on Aug 24, 2016 2:12 AM by computate

    Kerberos data-source for Wildfly 10

    computate

      Hello,

       

      I have successfully connected my Kerberos authentication into my management realm to log in with kerberos and LDAP through my freeipa server. I have successfully setup my postgres instance to use kerberos as well. Now I am attempting to setup a datasource in Wildfly 10 to connect using kerberos to my postgresql database, but I can't find the right configuration. I always end up with this error when starting my server:

       

      Aug 23 23:32:46 blaye-web1 standalone.sh: #033[0m#033[31m23:32:46,559 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PBOX00016: Access denied: authentication failed: java.lang.SecurityException: PBOX00016: Access denied: authentication failed
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.core.security.picketbox.PicketBoxSubjectFactory.createSubject(PicketBoxSubjectFactory.java:66)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1451)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1446)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at java.security.AccessController.doPrivileged(Native Method)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1445)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:766)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:312)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:364)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:145)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      Aug 23 23:32:46 blaye-web1 standalone.sh: at java.lang.Thread.run(Thread.java:745)
      
      

       

      This is my the relevant parts of my standalone.xml configuration with several commented out attempts to get it right.  I have a "keycloak" database, and a "keycloak@SOMETHING.COM" kerberos user and "keycloak/keycloak.something.com@SOMETHING.COM" service that I have keytabs for that I have both attempted to use for authentication. If there is anyone who can find what is wrong in my configuration of Kerberos datasources, I would be very grateful!

       

      <?xml version="1.0" encoding="UTF-8"?>
      <server xmlns="urn:jboss:domain:4.0">
          <system-properties>
              <property name="java.security.krb5.realm" value="SOMETHING.COM"/>
              <property name="java.security.krb5.kdc" value="ipa.something.com"/>
              <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
              <property name="java.security.krb5.debug" value="true"/>
          </system-properties>
          <management>
              <security-realms>
                  <security-realm name="UndertowRealm">
                      <server-identities>
                          <ssl>
                              <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="1" key-password="password"/>
                          </ssl>
                      </server-identities>
                  </security-realm>
                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl>
                              <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="1" key-password="password"/>
                          </ssl>
                          <kerberos>
                              <keytab principal="http/keycloak.something.com@SOMETHING.COM" path="http.keytab" relative-to="jboss.server.config.dir" debug="true"/>
                          </kerberos>
                      </server-identities>
                      <authentication>
                          <kerberos/>
                          <ldap connection="ldap" base-dn="dc=something,dc=com" recursive="true">
                              <username-filter attribute="uid"/>
                          </ldap>
                      </authentication>
                      <authorization>
                          <ldap connection="ldap">
                              <username-to-dn>
                                  <username-filter base-dn="ou=users,dc=principal-to-group,dc=something,dc=com" recursive="false" attribute="uid" user-dn-attribute="dn"/>
                              </username-to-dn>
                              <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="uid">
                                  <principal-to-group group-attribute="memberOf"/>
                              </group-search>
                          </ldap>
                      </authorization>
                  </security-realm>
              </security-realms>
          </management
          <profile>
              <subsystem xmlns="urn:jboss:domain:datasources:4.0">
                  <datasources>
                      <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
                          <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?kerberosServerName=postgres&amp;jaasApplicationName=KerberosDataSourceLoginModule</connection-url>-->
                          <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=keycloak@SOMETHING.COM</connection-url>-->
                          <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=keycloak@SOMETHING.COM</connection-url>-->
                          <connection-url>jdbc:postgresql://postgres.something.com/keycloak</connection-url>
                          <driver>postgresql</driver>
                          <pool>
                              <max-pool-size>20</max-pool-size>
                          </pool>
                          <security>
                              <!--<user-name>keycloak@SOMETHING.COM</user-name>-->
                              <!--<security-domain>KerberosDataSourceSecurityDomain</security-domain>-->
                              <security-domain>KerberosDataSourceSecurityDomain</security-domain>
                          </security>
                      </datasource>
                      <drivers>
                          <driver name="postgresql" module="org.postgresql">
                              <xa-datasource-class>org.postgresql.Driver</xa-datasource-class>
                          </driver>
                      </drivers>
                  </datasources>
              </subsystem>
              <subsystem xmlns="urn:jboss:domain:security:1.2">
                  <security-domains>
                      <security-domain name="host" cache-type="default">
                          <authentication>
                              <login-module code="Kerberos" flag="required">
                                  <module-option name="debug" value="true"/>
                                  <module-option name="storeKey" value="true"/>
                                  <module-option name="useKeyTab" value="true"/>
                                  <module-option name="principal" value="http/keycloak.something.com@SOMETHING.COM"/>
                                  <module-option name="keyTab" value="http.keytab"/>
                                  <module-option name="doNotPrompt" value="true"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="KerberosDataSourceSecurityDomain" cache-type="default">
                          <authentication>
                              <login-module code="Kerberos" flag="required">
                                  <module-option name="debug" value="true"/>
                                  <module-option name="storeKey" value="true"/>
                                  <module-option name="userName" value="keycloak@SOMETHING.COM"/>
                                  <module-option name="useKeyTab" value="true"/>
                                  <!--<module-option name="principal" value="keycloak/keycloak.something.com@SOMETHING.COM"/>-->
                                  <module-option name="principal" value="keycloak@SOMETHING.COM"/>
                                  <!--<module-option name="keyTab" value="keycloak-service.keytab"/>-->
                                  <module-option name="keyTab" value="keycloak-user.keytab"/>
                                  <module-option name="doNotPrompt" value="true"/>
                                  <module-option name="useTicketCache" value="false"/>
                                  <module-option name="ticketCache" value="/tmp/krb"/>
                                  <module-option name="refreshKrb5Config" value="true"/>
                                  <module-option name="isInitiator" value="true"/>
                                  <module-option name="addGSSCredential" value="true"/>
                                  <module-option name="delegationCredential" value="USE"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <!--<security-domain name="SPNEGO" cache-type="default">-->
                      <security-domain name="SOMETHING.COM" cache-type="default">
                          <authentication>
                              <!-- Check the username and password -->
                              <login-module code="SPNEGO" flag="requisite">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                                  <module-option name="serverSecurityDomain" value="host"/>
                              </login-module>
                              <!-- Search for roles -->
                              <login-module code="UserRoles" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                                  <module-option name="usersProperties" value="spnego-users.properties"/>
                                  <module-option name="rolesProperties" value="spnego-roles.properties"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                  </security-domains>
              </subsystem>
          </profile>
      </server>