2 Replies Latest reply on Apr 17, 2018 7:52 AM by jorith.van.den.heuvel

    Active-mq messaging with elytron on wildfly 11

    nikhilsb
    nikhilsb Mar 16, 2018 3:31 PM

      We are currently migrating from wildfly 10 to wildfly 11.

       

      We currently have passwords stored in vault and we are accessing as below for active mq.

       

      <subsystem xmlns="urn:jboss:domain:messaging-activemq:2.0">

      <server name="default">

      ....

      <http-connector name="http-connector" endpoint="http-acceptor" socket-binding="httpsamq">

      <param name="ssl-enabled" value="true"/>

      <param name="keyStorePath" value="${jboss.server.config.dir}\keystoreName/>

      <param name="keyStorePassword" value="${VAULT::ssl::key-pass::1}"/>

      </http-connector>

      ...

      ...

      <http-acceptor name="http-acceptor" http-listener="httpsamq">

      <param name="ssl-enabled" value="true"/>

      <param name="keyStorePath" value="${jboss.server.config.dir}\keystoreName"/>

      <param name="keyStorePassword" value="${VAULT::ssl::ssl-pass::1}"/>

      </http-acceptor> 

      ...

      ...

      </server>

      </subsystem>

       

      We are getting rid of vault, so we have started to migrate to elytron. We have created credential-store and added a password with an alias keystore-password into it . 

      What i need to know is is there a way for me to retrieve and use the keyStorePassword from elytron credential-store instead of vault. What are my options here?

      Is there any documentation i can check?.

       

        • 1. Re: Active-mq messaging with elytron on wildfly 11
          mchoma
          mchoma Mar 19, 2018 1:19 PM (in response to nikhilsb)

          Credential store strings can be currently used only in specialized "credential-reference" attributes. keyStorePassword is not such case.

           

          This is known issue as Elytron integration in this area is not complete.See https://issues.jboss.org/browse/EAP7-683

          http-acceptor part can be solved by configuring Undertow using Elytron ssl context which is aware of credential store.

           

          Can you elaborate your use case. Are you trying to configure 2-way SSL between client and server? Where is your client located? Is it in same WF instance/another WF instance/standalone app? What are you expecting vault role is here? Most probably vault expression is resolved at server boot and client gets object with plain password over network, anyway.

            • Actions
          • 2. Re: Active-mq messaging with elytron on wildfly 11
            jorith.van.den.heuvel
            jorith.van.den.heuvel Apr 17, 2018 7:52 AM (in response to mchoma)

            We have a similar issue regarding a Websphere MQ resource adapter. Our current configuration looks like below:

             

            <subsystem xmlns="urn:jboss:domain:resource-adapters:5.0">

                <resource-adapters>

                    <resource-adapter id="wmq.jmsra.rar">

                        <archive>

                            wmq.jmsra.rar

                        </archive>

                        <transaction-support>LocalTransaction</transaction-support>

                        ...

                        <connection-definitions>

                            <connection-definition class-name="com.ibm.mq.connector.outbound.ManagedConnectionFactoryImpl" jndi-name="java:/jboss/jms/wmq/connectionFactory" use-java-context="true" pool-name="MQConnectionFactoryPool">

                                ...

                                <config-property name="password">

                                    ${VAULT::some_vault::password_websphere_mq::1}

                                </config-property>

                                ...

                        </connection-definitions>

                    </resource-adapter>

                </resource-adapters>

            </subsystem>

             

            I think it's not possible to add a credential reference here instead of the VAULT string. Since I cannot view the EAP7-683 issue: will this use case be supported in a future version?

              • Actions