7 Replies Latest reply on Dec 3, 2017 4:56 PM by mchoma

https-listener=https' is deprecated

gir489 Nov 29, 2017 9:34 AM

I ran the converter for Wildfly 10.1 to Wildfly 11 seen in this thread: wildfly-server-migration Invalid byte 1 of 1-byte UTF-8 sequence.

It added a bunch of stuff to the XML for Elytron, but I still see the same deprecation warnings I was getting before without running the converter. I checked the migration documents mentioned here in the release notes: Migrate Legacy Security to Elytron Security - Latest WildFly Documentation - Project Documentation Editor but I don't see anything pertaining to enabled-cipher-suites, or what's being deprecated with them.

Basically all I'm worried about is when Wildfly 12 comes out, and you do the full force switch to Elytron only, will my config still work? Is the config converter going to clean up the rest of those deprecated warnings for the 11 -> 12 converter?

1. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

mchoma Nov 30, 2017 1:52 AM (in response to gir489)

enabled-cipher-suites is deprecated in favor of Elytron server-ssl-context, where you can define the same
1 of 1 people found this helpful
Actions
2. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

gir489 Nov 30, 2017 8:57 AM (in response to mchoma)

You should probably make mention of cipher-suite-filter in the documentation for migrating to Elytron.

I've got it to stop complaining about deprecation stuff except for MangementRealm, which is Wildfly's problem. I'm assuming when 12 comes out, ManagementRealm will ship with a Elytron config, and I'll just copy and paste it in when they deploy it.

Thanks.
Actions
3. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

mchoma Nov 30, 2017 12:16 PM (in response to gir489)

Feel free to edit wildfly documentation. You know the best where and what kind of information would help in your case.

You can definitely replace ManagementRealm with Elytron today by using preconfigured management-sasl-authentication and management-http-authentication resources.
You can switch completly from legacy security to Elytron security by running /docs/example/enable-elytron.cli on fresh standalone.xml [1]

You can see in script what needs to be done to replace legacy MAnagementRealm. Basically, this should be enough
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={enabled=true, sasl-authentication-factory=management-sasl-authentication})
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=management-http-authentication)
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)

[1] Javlog @cacek.cz: Enable Elytron in WildFly 2
1 of 1 people found this helpful
Actions
4. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

gir489 Nov 30, 2017 2:20 PM (in response to gir489)

I ran the enable-elytron.cli script on my configuration and it worked. It doesn't complain about deprecation warnings anymore.
Actions
5. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

mchoma Nov 30, 2017 3:25 PM (in response to gir489)

Congratulation!! You are fully elytronized . And in theory, you should be safe with migration for a long time

Not sure if it should work, but you can even try to remove all security realms and whole security subsystem.
Actions
6. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

gir489 Dec 1, 2017 9:54 AM (in response to mchoma)

I did. We had a problem in the past with the deployment engineer editing the dummy config we dead-drop in the system to confuse potential attackers about the whereabouts of APIs/SSL certs/crypto keys/etc, and it opened our eyes to how horribly complacent people become with just simply trying to find the easiest way to do something then mark the task done. So because of this, we don't want to leave the old security realm in there, not so much that Wildfly might barf over it in the future, but because we don't want future deployment engineers editing that, then getting customer complaints about why our site isn't SSL'd with the right cipher anymore...

I get the warm and fuzzies when something works up to spec. I also don't like the console yelling at me for deprecation errors. I'm glad you guys ship the product with such easy to use tools like the JMX console with the Elytron porting script, and that's why we picked JBoss in the past, and why we continue to use JBoss, because the tools that ship with the product are always a dream to use. Keep up the fantastic work.
Actions
7. Re: Attribute 'enabled-cipher-suites' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated

mchoma Dec 3, 2017 4:56 PM (in response to gir489)

Nice to hear that!

Regarding your problem you can enable RBAC. With that you can add deployment engineer into Deployer role. Deployer role has only limited operations granted and can't change SSL settings, for instance.
Actions

Go to original post