2 Replies Latest reply on Apr 27, 2017 5:36 AM by nurubhas

host controller was not able to connect Domain controller After install the SSL in Management console.

nurubhas Apr 27, 2017 12:51 AM

Hi All,

I have faced small issue in my Jboss EAP environment, After configuring SSL for Management console.

I have two VM'S (RHE Linux 6.4).names as

1) Server1.example.com

2) Server2.example.com

I have installed JbossEAP 6.3 in Server1 and Server2 , I have choosen Server1 as Domain controller & Server2 as a Slave Machine.

I have configured domain & host.xml files. So both server1 & server2 running as horizontal cluster setup without any trouble & I have test cluster functionality as well.

Issue came here:

I have installed a self signed certificate for Management console in Server1 & it is accessible with https://Server1IP:9443 without failure

when i am starting host controller process in Slave Machine(server2)... getting some exception related to SSL failure.

Reason: Slave machine is not able to communicate domain controller after install the SSL certificates for management console.

ERROr

[Host Controller ] JBAS010900 : Could not connect to remote domain controller at remote://remoteIP:9999 -- java.lang.IllegalStateException : JBAS016509: Unable to connect due to SSL failure.

I am sharing here keystore details :

[jbossas@server1 configuration]$ keytool -list -keystore domain.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 3 entries

slave2, Apr 26, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): F0:D9:44:2D:CA:25:1D:F5:65:7C:58:27:21:35:D7:62:ED:C7:45:A7

slave1, Apr 26, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): 9B:91:C8:DF:20:D6:60:A0:28:F4:48:D8:37:72:95:68:FD:68:F1:59

domain, Apr 26, 2017, PrivateKeyEntry,

Certificate fingerprint (SHA1): B9:91:37:99:48:DC:B5:C3:94:1E:6D:86:AB:A8:66:E3:AB:34:31:58

[jbossas@server1 configuration]$ keytool -list -keystore slave1.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 2 entries

slave1, Apr 26, 2017, PrivateKeyEntry,

Certificate fingerprint (SHA1): 9B:91:C8:DF:20:D6:60:A0:28:F4:48:D8:37:72:95:68:FD:68:F1:59

domain, Apr 26, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): B9:91:37:99:48:DC:B5:C3:94:1E:6D:86:AB:A8:66:E3:AB:34:31:58

Domain Controller-- host.xml

<security-realm name="ManagementRealm">

<server-identities>

<ssl>

<keystore path="/opt/jboss/jboss-eap-6.3/domain/configuration/domain.jks" keystore-password="password" alias="domain"/>

</ssl>

</server-identities>

<authentication>

<truststore path="domain.jks" keystore-password="password" />

<local default-user="$local" skip-group-loading="true"/>

<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

</authentication>

<authorization map-groups-to-roles="false">

<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>

</authorization>

And in slave machine I have copied the domain.jks & slave1.jks certificates to slave(server2 machine) same path & I have configured the same in slave host.xml

In slave1 host.xml file contains below configuration

<security-realm name="ManagementRealm">
<server-identities>

     <secret value="base 64 secret value generated at the time of slave user creation" />
   <ssl>
<keystore path="slave1.jks" keystore-password="password" alias="slave1"/>
   </ssl>
   </server-identities>

<authentication>

<truststore path="/opt/jboss/jboss-eap-6.3/domain/configuration/domain.jks" keystore-password="password" relative-to="jboss.domain.config.dir" />

<local default-user="$local" skip-group-loading="true"/>

<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

</authentication>

if I am not installed SSL certificate on Management console, everything going well... when i configured SSL for management console problem occurred.

Can you please suggest me... what other configuration required in slave host.xml file to communicate domain controller process over SSL.

1. Re: host controller was not able to connect Domain controller After install the SSL in Management console.

luck3y Apr 26, 2017 8:01 PM (in response to nurubhas)

I can make this happen if I don't provide a truststore on the client, but something like the below works fine. You'd want this to be the same on the master & slave.

          <security-realm name="CertificateRealm">
                <server-identities>
                    <ssl>
                        <keystore path="/ssl/configuration/server.keystore" keystore-password="#####" alias="server"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="/ssl/configuration/server.truststore" keystore-password="#####"/>
                    <local default-user="$local"/>
                    <properties path="/ssl/configuration/users.properties"/>
                </authentication>
            </security-realm>

Then you also need to ensure that the realm being referenced in the slaves domain-controller element also matches.

See here for more info (this is for EAP7, so just ignore any references to protocol, the 6.3 domain connector doesn't support that)

Chapter 3. Securing a Managed Domain - Red Hat Customer Portal
Actions
2. Re: host controller was not able to connect Domain controller After install the SSL in Management console.

nurubhas Apr 27, 2017 5:36 AM (in response to luck3y)

Hi Ken,

I have not created any new Security Realm like as Management. I have configured all certificates within the Management realm.

any how.. Issue has been resolved.

Actions has been taken as like below.

I have given complete Certificate path in slave host.xml , After that I have restarted..,,seems they connected to Domain controller.

like as below.

<ssl>
<keystore path="/opt/jboss/jboss-eap-6.3/domain/configuration/slave1.jks" keystore-password="password" alias="slave1"/>
</ssl>

Thanks for suggestion
Actions

Go to original post