-
30. Re: How to use SSL/TLS encryption and database authorization/authentication to call EJB in WildFly 8 CR1?
xibo_flair Nov 2, 2016 11:04 AM (in response to damian.petrecki)This is extremely helpful. I failed because I have the following property configured.
prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_PROTOCOL", "TLSv1.2");
Once I commented it out, I saw the following in the ssl handshake debug messages
*** CertificateRequest
*** ServerHelloDone
matching alias: ***
*** Certificate chain
However, it's still requesting the client to provide username and password and satisfy the PLAIN mechanism. Is it possible to propagate the certificate information to the JAAS so that my LDAP login module can lookup the roles for the CN of the certificate?
-
31. Re: How to use SSL/TLS encryption and database authorization/authentication to call EJB in WildFly 8 CR1?
dmlloyd Nov 2, 2016 12:26 PM (in response to xibo_flair)If you want to do certificate-only authentication, I believe you have to select the EXTERNAL SASL mechanism.
-
32. Re: How to use SSL/TLS encryption and database authorization/authentication to call EJB in WildFly 8 CR1?
xibo_flair Nov 2, 2016 12:41 PM (in response to dmlloyd)Would you please elaborate more on how to select the EXTERNAL SASL mechanism.
I've removed the <JAAS> config from the security realm. The only remaining authentication mechanism there is <truststore> and <local>. Here's what I have in the client log:
TRACE: Client received capabilities response
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: version 1
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: remote endpoint name "win2k12r2image"
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: SASL mechanism EXTERNAL
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: SASL mechanism EXTERNAL added to allowed set
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: SASL mechanism JBOSS-LOCAL-USER
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: message close protocol supported
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: remote version is "4.0.21.Final"
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: remote channels in is "40"
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Client received capability: remote channels out is "40"
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.2 Application Data, length = 70
Remoting "config-based-ejb-client-endpoint" I/O-1, called closeOutbound()
Remoting "config-based-ejb-client-endpoint" I/O-1, closeOutboundInternal()
Remoting "config-based-ejb-client-endpoint" I/O-1, SEND TLSv1.2 ALERT: warning, description = close_notify
Remoting "config-based-ejb-client-endpoint" I/O-1, WRITE: TLSv1.2 Alert, length = 64
Nov 02, 2016 12:34:54 PM org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities handleEvent
TRACE: Connection error detail
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:449)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:241)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:198)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:112)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.ssl.JsseStreamConduit.run(JsseStreamConduit.java:446)
at org.xnio.ssl.JsseStreamConduit.readReady(JsseStreamConduit.java:547)
at org.xnio.ssl.JsseStreamConduit$2.readReady(JsseStreamConduit.java:319)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
It seems that in the ClientConnectionOpenListener, the saslClient cannot be instantiated because there's no such SaslClientFactory for the EXTERNAL mechanism.
-
33. Re: How to use SSL/TLS encryption and database authorization/authentication to call EJB in WildFly 8 CR1?
xibo_flair Nov 2, 2016 2:17 PM (in response to dmlloyd)Does it mean I need to use the wildfly Elytron jar in my application?