2 Replies Latest reply on Jul 1, 2019 8:58 AM by valsaraj007

    Legacy security domain as Elytron security realm

    valsaraj007
    valsaraj007 Jun 28, 2019 4:49 AM

      is it possible to use Legacy security domain as Elytron security realm in WildFly-16?

       

      After migrating to WF-16, application on https works fine using custom JAAS legacy realm and security domain.

      <security-realm name="SSLRealm">

                      <server-identities>

                          <ssl>

      <keystore provider="PKCS12" path="webserver.p12" relative-to="jboss.domain.config.dir" keystore-password="****"/>

          </ssl>

                      </server-identities>

                      <authentication>

                          <jaas name="appCustomDomain"/>

                      </authentication>

                  </security-realm>

      Remoting over HTTP is fine but HTTPS fails with following exception. The certificates are configured and imported already.

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

      at sun.security.validator.Validator.validate(Validator.java:262)

      at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)

      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)

      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)

      ... 18 more

      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

      ... 24 more

        • 1. Re: Legacy security domain as Elytron security realm
          dlofthouse
          dlofthouse Jun 28, 2019 6:00 AM (in response to valsaraj007)

          For an error like that you would be better off working through the actual problem, it not possible to use legacy security realms in the way you suggest although that may not be an answer anyway.

           

          Trace logging for org.wildfly.security can be useful as well as sharing the configuration leading to the error.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: Legacy security domain as Elytron security realm
            valsaraj007
            valsaraj007 Jul 1, 2019 8:58 AM (in response to dlofthouse)

            <security-domain name="appCustomDomain" cache-type="default">

                                    <authentication>

                                        <login-module name="KeyLoginModule" code="org.app.security.auth.AppLoginModule" flag="required" module="com.app.configuration">

                                            <module-option name="*****" value="****"/>

                                        </login-module>

                                        <login-module name="ClientLoginModule" code="org.jboss.security.ClientLoginModule" flag="required">

                                            <module-option name="restore-login-identity" value="true"/>

                                        </login-module>

                                    </authentication>

            </security-domain>

            ...

            <remote connector-ref="http-remoting-connector" thread-pool-name="default">

                                <channel-creation-options>

                                    <option name="READ_TIMEOUT" value="${prop.remoting-connector.read.timeout:20}" type="xnio"/>

                                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>

                                </channel-creation-options>

                            </remote>

            ...

            <subsystem xmlns="urn:jboss:domain:remoting:4.0">

                            <http-connector name="http-remoting-connector" connector-ref="https" security-realm="SSLRealm"/>

                        </subsystem>

            ...

            <https-listener name="https" tcp-keep-alive="true" read-timeout="180000" write-timeout="300000" socket-binding="https" max-post-size="1048576000" max-parameters="2000" security-realm="SSLRealm" enable-http2 = "false" />

             

            host conf:

            <security-realm name="SSLRealm">

                            <server-identities>

                                <ssl>

            <keystore provider="PKCS12" path="webserver.p12" relative-to="jboss.domain.config.dir" keystore-password="****"/>

                </ssl>

                            </server-identities>

                            <authentication>

                                <jaas name="appCustomDomain"/>

                            </authentication>

                        </security-realm>

             

            Hi Darran dlofthouse,

             

            I added TRACE logging for org.wildfly.security in WildFly. But there is no log printing on the WidFly server side since the EJB call from standalone Java client application, fails due to SSL error.

            This is the configuration used for EJB remoting over java.naming.provider.url=remote+https://localhost:8443. Pleas let me know if anything wrong.

              • Actions