Kerberos data-source for Wildfly 10
computate Aug 24, 2016 2:12 AMHello,
I have successfully connected my Kerberos authentication into my management realm to log in with kerberos and LDAP through my freeipa server. I have successfully setup my postgres instance to use kerberos as well. Now I am attempting to setup a datasource in Wildfly 10 to connect using kerberos to my postgresql database, but I can't find the right configuration. I always end up with this error when starting my server:
Aug 23 23:32:46 blaye-web1 standalone.sh: #033[0m#033[31m23:32:46,559 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PBOX00016: Access denied: authentication failed: java.lang.SecurityException: PBOX00016: Access denied: authentication failed Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.core.security.picketbox.PicketBoxSubjectFactory.createSubject(PicketBoxSubjectFactory.java:66) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1451) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1446) Aug 23 23:32:46 blaye-web1 standalone.sh: at java.security.AccessController.doPrivileged(Native Method) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1445) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:766) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:312) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:364) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:145) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) Aug 23 23:32:46 blaye-web1 standalone.sh: at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) Aug 23 23:32:46 blaye-web1 standalone.sh: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) Aug 23 23:32:46 blaye-web1 standalone.sh: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) Aug 23 23:32:46 blaye-web1 standalone.sh: at java.lang.Thread.run(Thread.java:745)
This is my the relevant parts of my standalone.xml configuration with several commented out attempts to get it right. I have a "keycloak" database, and a "keycloak@SOMETHING.COM" kerberos user and "keycloak/keycloak.something.com@SOMETHING.COM" service that I have keytabs for that I have both attempted to use for authentication. If there is anyone who can find what is wrong in my configuration of Kerberos datasources, I would be very grateful!
<?xml version="1.0" encoding="UTF-8"?> <server xmlns="urn:jboss:domain:4.0"> <system-properties> <property name="java.security.krb5.realm" value="SOMETHING.COM"/> <property name="java.security.krb5.kdc" value="ipa.something.com"/> <property name="javax.security.auth.useSubjectCredsOnly" value="false"/> <property name="java.security.krb5.debug" value="true"/> </system-properties> <management> <security-realms> <security-realm name="UndertowRealm"> <server-identities> <ssl> <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="1" key-password="password"/> </ssl> </server-identities> </security-realm> <security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="password" alias="1" key-password="password"/> </ssl> <kerberos> <keytab principal="http/keycloak.something.com@SOMETHING.COM" path="http.keytab" relative-to="jboss.server.config.dir" debug="true"/> </kerberos> </server-identities> <authentication> <kerberos/> <ldap connection="ldap" base-dn="dc=something,dc=com" recursive="true"> <username-filter attribute="uid"/> </ldap> </authentication> <authorization> <ldap connection="ldap"> <username-to-dn> <username-filter base-dn="ou=users,dc=principal-to-group,dc=something,dc=com" recursive="false" attribute="uid" user-dn-attribute="dn"/> </username-to-dn> <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="uid"> <principal-to-group group-attribute="memberOf"/> </group-search> </ldap> </authorization> </security-realm> </security-realms> </management <profile> <subsystem xmlns="urn:jboss:domain:datasources:4.0"> <datasources> <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true"> <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?kerberosServerName=postgres&jaasApplicationName=KerberosDataSourceLoginModule</connection-url>--> <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=keycloak@SOMETHING.COM</connection-url>--> <!--<connection-url>jdbc:postgresql://postgres.something.com/keycloak?authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=keycloak@SOMETHING.COM</connection-url>--> <connection-url>jdbc:postgresql://postgres.something.com/keycloak</connection-url> <driver>postgresql</driver> <pool> <max-pool-size>20</max-pool-size> </pool> <security> <!--<user-name>keycloak@SOMETHING.COM</user-name>--> <!--<security-domain>KerberosDataSourceSecurityDomain</security-domain>--> <security-domain>KerberosDataSourceSecurityDomain</security-domain> </security> </datasource> <drivers> <driver name="postgresql" module="org.postgresql"> <xa-datasource-class>org.postgresql.Driver</xa-datasource-class> </driver> </drivers> </datasources> </subsystem> <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="principal" value="http/keycloak.something.com@SOMETHING.COM"/> <module-option name="keyTab" value="http.keytab"/> <module-option name="doNotPrompt" value="true"/> </login-module> </authentication> </security-domain> <security-domain name="KerberosDataSourceSecurityDomain" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="userName" value="keycloak@SOMETHING.COM"/> <module-option name="useKeyTab" value="true"/> <!--<module-option name="principal" value="keycloak/keycloak.something.com@SOMETHING.COM"/>--> <module-option name="principal" value="keycloak@SOMETHING.COM"/> <!--<module-option name="keyTab" value="keycloak-service.keytab"/>--> <module-option name="keyTab" value="keycloak-user.keytab"/> <module-option name="doNotPrompt" value="true"/> <module-option name="useTicketCache" value="false"/> <module-option name="ticketCache" value="/tmp/krb"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="isInitiator" value="true"/> <module-option name="addGSSCredential" value="true"/> <module-option name="delegationCredential" value="USE"/> </login-module> </authentication> </security-domain> <!--<security-domain name="SPNEGO" cache-type="default">--> <security-domain name="SOMETHING.COM" cache-type="default"> <authentication> <!-- Check the username and password --> <login-module code="SPNEGO" flag="requisite"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="host"/> </login-module> <!-- Search for roles --> <login-module code="UserRoles" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="usersProperties" value="spnego-users.properties"/> <module-option name="rolesProperties" value="spnego-roles.properties"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem> </profile> </server>