7 Replies Latest reply on Feb 17, 2012 10:20 PM by iran zhou

    JBoss 7.1: Connect to a secured domain manager

    Klaus Erber Newbie

      Hello,

       

      i have problems to get the domain operating mode working.

       

      JBoss version 7.1CR1b

      Master (ip 10.0.0.10) and slave (ip 10.0.0.11) are on to different virtual mashines.

       

      Configuration master (host.xml):

       

      <host name="master" xmlns="urn:jboss:domain:1.1">
      
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                  </security-realm>
              </security-realms>
              <management-interfaces>
                  <native-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
                  <http-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.http.port:9990}"/>
                  </http-interface>
              </management-interfaces>
          </management>
      
          <domain-controller>
             <local/>
          </domain-controller>
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:10.0.0.10}"/>
              </interface>
              <interface name="public">
                 <inet-address value="${jboss.bind.address:127.0.0.1}"/>
              </interface>
          </interfaces>
      
           <jvms>
              <jvm name="default">
                <heap size="64m" max-size="256m"/>
             </jvm>
           </jvms>
      
          <servers>
          </servers>
      </host>
      

       

      User in mgmt-users.properties:

       

      node01=6cecc294214c4ec26082562e1db62c97
      

       

      Configuration slave (host.xml):

       

      <host name="node01" xmlns="urn:jboss:domain:1.1">
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                  </security-realm>
                  <security-realm name="ServerRealm">
                      <server-identities>
                          <secret value="6cecc294214c4ec26082562e1db62c97" />
                      </server-identities>
                  </security-realm>
               </security-realms>
              <management-interfaces>
                  <native-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
              </management-interfaces>
          </management>
      
          <domain-controller>
             <remote host="10.0.0.10" port="9999" security-realm="ServerRealm"/>
          </domain-controller>
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:10.0.0.11}"/>
              </interface>
              <interface name="public">
                 <inet-address value="${jboss.bind.address:0.0.0.0}"/>
              </interface>
          </interfaces>
      
           <jvms>
              <jvm name="default">
                <heap size="64m" max-size="256m"/>
             </jvm>
           </jvms>
      
          <servers>
              <server name="server-one" group="main-server-group">
              </server>
          </servers>
      </host>
      

       

      The start of the master works fine.

       

      The start of the slave failed:

       

      11:16:23,406 INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
      11:16:23,593 INFO  [org.jboss.as.process.Host Controller.status] (main) JBAS012017: Starting process 'Host Controller'
      [Host Controller] 11:16:23,891 INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
      [Host Controller] 11:16:24,307 INFO  [org.jboss.msc] (main) JBoss MSC version 1.0.1.GA
      [Host Controller] 11:16:24,398 INFO  [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" starting
      [Host Controller] 11:16:25,208 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) Operation ("validate-authentication") failed - address: ([
      [Host Controller]     ("host" => "node01"),
      [Host Controller]     ("core-service" => "management"),
      [Host Controller]     ("security-realm" => "ServerRealm")
      [Host Controller] ]) - failure description: "JBAS015245: No authentication mechanism defined in security realm 'ServerRealm'."
      [Host Controller] 11:16:25,227 INFO  [org.jboss.as] (Controller Boot Thread) JBoss AS (Host Controller) 7.1.0.CR1b "Flux Capacitor" started in 1548ms - Started 9 of 9 services (0 services are passive or on-demand)
      [Host Controller] 11:16:25,243 INFO  [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" stopped in 5ms
      [Host Controller] 11:16:25,235 ERROR [org.jboss.as.controller] (Controller Boot Thread) JBAS014601: Error booting the container: java.lang.IllegalArgumentException: Name segment is null
      [Host Controller]       at org.jboss.msc.service.ServiceName.of(ServiceName.java:82) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
      [Host Controller]       at org.jboss.msc.service.ServiceName.append(ServiceName.java:112) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
      [Host Controller]       at org.jboss.as.host.controller.ServerInventoryService.install(ServerInventoryService.java:80) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
      [Host Controller]       at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:307) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
      [Host Controller]       at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b]
      [Host Controller]       at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
      [Host Controller]
      

       

      Can you help me? I think there is something wrong with the server-identities part of the the slave configuration.

       

      regards

      Klaus

       

      Please have a look at the attached trace log of the master node. In particular this part:

       

      12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) A2: AUTHENTICATE:remote/clustermanager.localdomain
      12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58
      12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(l�”!LN�`�V. �,�) = 6cecc294214c4ec26082562e1db62c97
      12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(A1): 7ca2b986315220da327a62d5acc28170
      12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) KD: 7ca2b986315220da327a62d5acc28170:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58
      12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) response-value: 0ba01b0f27322ec7f62276ea7fa8c8b7
      12:04:06,868 TRACE [org.jboss.remoting.remote.server] (Remoting "master:MANAGEMENT" task-4) Server sending authentication rejected (javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response.)
      

       

       

      there is something wrong with the password compare.

       

      Similar on the slave:

       

      12:04:07,608 TRACE [org.jboss.modules] (Remoting "endpoint" task-2) Defined class org.jboss.sasl.util.Charsets in Module "org.jboss.sasl:main" from local module loader @16aeea66 (roots: /opt/jboss-as/modules)
      12:04:07,611 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) A2: AUTHENTICATE:remote/clustermanager.localdomain
      12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58
      12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(� {@4@�}3/v  c |) = 86017b403440e17d332f76110563087c
      12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(A1): 73b5c10e8ab7827b6c59e8e4fc111c64
      12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) KD: 73b5c10e8ab7827b6c59e8e4fc111c64:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58
      12:04:07,618 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) response-value: c23013459d9c939aca4029c8485d5ae0
      12:04:07,618 TRACE [org.jboss.remoting.remote.client] (Remoting "endpoint" task-2) Client sending authentication response
      12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepting java.nio.HeapByteBuffer[pos=0 lim=278 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]
      12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepted a message into java.nio.HeapByteBuffer[pos=282 lim=8196 cap=8196]
      

       

       

      greetings

      Klaus

       

      Change by Klaus Erber

       

       

      Here comes a working configuration:

       

      Master host.xml:

       

      <host name="master" xmlns="urn:jboss:domain:1.1">
      
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                  </security-realm>
              </security-realms>        
              <management-interfaces>
                  <native-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
                  <http-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.http.port:9990}"/>
                  </http-interface>
              </management-interfaces>
          </management>
      
          <domain-controller>
             <local/>
          </domain-controller>
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:10.0.0.10}"/>
              </interface>
              <interface name="public">
                 <inet-address value="${jboss.bind.address:127.0.0.1}"/>
              </interface>
          </interfaces>
      
           <jvms>
              <jvm name="default">
                <heap size="64m" max-size="256m"/>
             </jvm>
           </jvms>
      
          <servers>
          </servers>
      </host>
      

       

      User in mgmt-users.properties (created with add-user.sh script in ManagementRealm, password is 'laBadmin.6'):

       

      node01=d0114fbcb7421cb836ae551cf054d5a7
      

       

      Slave host.xml:

       

      <host name="node01" xmlns="urn:jboss:domain:1.1">
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                      </authentication>
                      <server-identities>
                          <secret value="bGFCYWRtaW4uNg==" />
                      </server-identities>                
                  </security-realm>
              </security-realms>
              <management-interfaces>
                  <native-interface>
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
              </management-interfaces>
          </management>
      
          <domain-controller>
             <remote host="10.0.0.10" port="9999" security-realm="ManagementRealm" />
          </domain-controller>
      
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:10.0.0.11}"/>
              </interface>
              <interface name="public">
                 <inet-address value="${jboss.bind.address:0.0.0.0}"/>
              </interface>
          </interfaces>
      
           <jvms>
              <jvm name="default">
                <heap size="64m" max-size="256m"/>
             </jvm>
           </jvms>
      
          <servers>
              <server name="server-one" group="main-server-group">
              </server>
          </servers>
      </host>
      

       

      Note the value of the secret, it is the base64 encoded password 'laBadmin.6'.

      You can do that on http://www.motobit.com/util/base64-decoder-encoder.asp

       

      Changed by Klaus Erber