6 Replies Latest reply on Jun 29, 2017 4:29 PM by jon_royer

    Jboss eap 7.0 Configuration management interfaces with ldap

    perob_99
    perob_99 Feb 17, 2017 6:26 AM

      In installation jboss aep 7.0 running in domain mode, I configured the management console on port 9993 in https, now I would like configure the authentication by an external ldap server without ssl between jboss-->ldap server.

      I executed the following steps in console CLI:

      /host=master/core-service=management/ldap-connection=ldap-connection/:add(search-credential=password,url=ldap://IP_LDAP:389,search-dn="cn=Manager,dc=example,dc=net")

      reload

      /host=master/core-service=management/security-realm=ldap-security-realm:add

      /host=master/core-service=management/security-realm=ldap-security-realm/authentication=ldap:add(connection="ldap-connection",base-dn="dc=example,dc=net",username-attribute="uid"

      reload

      /host=master/core-service=management/management-interface=http-interface/:write-attribute(name=security-realm,value="ldap-security-realm")

      reload

       

      When the server restart there is the follow message in console.log:

      2017-02-17 11:43:47,711 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.serverManagement.controller.management.http: org.jboss.msc.service.StartException in service jboss.serverManagement.controller.management.http: WFLYSRV0083: Failed to start the http-interface service

      ...

      Caused by: java.lang.IllegalArgumentException: WFLYDMHTTP0012: A secure socket has been defined for the HTTP interface, however the referenced security realm is not supplying a SSLContext.

       

      in host-master.xml there is this configuration for management-interface:

          <management-interfaces>
              <native-interface security-realm="CertificateRealm">
                  <socket interface="management" port="${jboss.management.native.port:9999}"/>
              </native-interface>
              <http-interface security-realm="ldap-security-realm" http-upgrade-enabled="true">
                  <socket interface="management" secure-port="9993"/>
              </http-interface>
          </management-interfaces>

       

      Can you help me to find the solution of the problem ?

      Thanks in advance

      • 4050 Views
      • Categories: Secure
      • Tags:
        • 1. Re: Jboss eap 7.0 Configuration management interfaces with ldap
          mchoma
          mchoma Feb 17, 2017 6:32 AM (in response to perob_99)

          In ldap-security-realm you have to configure server-identities/ssl as well.

          So that your configuration will look similar to

          <server-identities>

              <ssl>

                  <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server"/>

              </ssl>

          </server-identities>

            • Actions
          • 2. Re: Jboss eap 7.0 Configuration management interfaces with ldap
            perob_99
            perob_99 Feb 17, 2017 11:19 AM (in response to mchoma)

            Thanks,now It connect to ldap server.

            Probably I'm testing to authenticate with an ldap server is not properly configured, but I would like to understand if the user authenticates ldap must also be present in mgmt-users.properties and mgmt-groups.properties files.

              • Actions
            • 3. Re: Jboss eap 7.0 Configuration management interfaces with ldap
              mchoma
              mchoma Feb 20, 2017 1:12 AM (in response to perob_99)

              User authenticated with LDAP does not need to be in mgmt-users.properties.

                • Actions
              • 4. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                perob_99
                perob_99 Feb 22, 2017 5:00 AM (in response to mchoma)

                When I insert username and password for authentication in CLI management with external ldap server I have only this messages:

                PLAIN: Server rejected authentication without other messages in console.log

                 

                Can I configure a trace log for for view the real parameter send to server ldap ?

                 

                In search-credential I have a password with & that in file host-master.xml becomes &amp; , is this correct ?

                 

                Thanks

                  • Actions
                • 5. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                  perob_99
                  perob_99 Feb 22, 2017 5:56 AM (in response to perob_99)

                  I would add others informations, I configured the management in htttps on secure port 9993 and after I configured basic ldap.

                  I add also the add in tag <security-realm name="ldap-security-realm" the tag for certificate like this:

                   

                              <server-identities>
                                  <ssl>
                                      <keystore path="/certs/master.keystore.jks" relative-to="jboss.domain.config.dir" keystore-password="secret" alias="master_alias"/>
                                  </ssl>
                              </server-identities>

                   

                  Is it correct ?

                    • Actions
                  • 6. Re: Jboss eap 7.0 Configuration management interfaces with ldap
                    jon_royer
                    jon_royer Jun 29, 2017 4:29 PM (in response to perob_99)

                    Little late with the answer 5 months, but I just want to put it out there.  Below is what my host-master.xml looks like, and don't forget to update your jboss-cli.sh from port 9990 to 9993 and http-remoting to  https-remoting mchoma Your solution to the first part on this got me moving in the right direction when I hit a road block Thanks!

                     

                    Roberto,

                    Not sure how you setup your LDAP is setup but I will give you segement of mine as an example. 

                            <security-realm>

                              <security-realm name="ldap_security_realm">

                                    <server-identities>

                                        <ssl>

                                            <keystore path="https_CERT.jks" relative-to="jboss.domain.config.dir" keystore-password="${VAULT::keystore::KeyStore::1}" alias="test"/>

                                        </ssl>

                                    </server-identities>

                                    <authentication>

                                        <ldap connection="ldap-connection" base-dn="dc=domain,dc=com" recursive="true">

                                            <username-filter attribute="saMAccountName"/>

                                        </ldap>

                                    </authentication>

                                </security-realm>

                     

                            <outbound-connections>

                                <ldap name="ldap-connection" url="ldap://LDAP.Server.com:389" search-dn="cn=UserID.UserID,ou=Service Accounts,dc=domain,dc=com" search-credential="${VAULT::LDAP::PASSWORD::1}"/>

                            </outbound-connections>

                     

                    <management-interfaces>

                                <native-interface security-realm="ManagementRealm">

                                    <socket interface="management" port="${jboss.management.native.port:9999}"/>

                                </native-interface>

                                <http-interface security-realm="ldap_security_realm" http-upgrade-enabled="true">

                                    <socket interface="management" secure-port="9993"/>

                                </http-interface>

                            </management-interfaces>

                        </management>

                      • Actions