JBoss 7.1: Connect to a secured domain manager
klaus_erber Jan 10, 2012 4:39 AMHello,
i have problems to get the domain operating mode working.
JBoss version 7.1CR1b
Master (ip 10.0.0.10) and slave (ip 10.0.0.11) are on to different virtual mashines.
Configuration master (host.xml):
<host name="master" xmlns="urn:jboss:domain:1.1"> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.http.port:9990}"/> </http-interface> </management-interfaces> </management> <domain-controller> <local/> </domain-controller> <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:10.0.0.10}"/> </interface> <interface name="public"> <inet-address value="${jboss.bind.address:127.0.0.1}"/> </interface> </interfaces> <jvms> <jvm name="default"> <heap size="64m" max-size="256m"/> </jvm> </jvms> <servers> </servers> </host>
User in mgmt-users.properties:
node01=6cecc294214c4ec26082562e1db62c97
Configuration slave (host.xml):
<host name="node01" xmlns="urn:jboss:domain:1.1"> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> <security-realm name="ServerRealm"> <server-identities> <secret value="6cecc294214c4ec26082562e1db62c97" /> </server-identities> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> </management-interfaces> </management> <domain-controller> <remote host="10.0.0.10" port="9999" security-realm="ServerRealm"/> </domain-controller> <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:10.0.0.11}"/> </interface> <interface name="public"> <inet-address value="${jboss.bind.address:0.0.0.0}"/> </interface> </interfaces> <jvms> <jvm name="default"> <heap size="64m" max-size="256m"/> </jvm> </jvms> <servers> <server name="server-one" group="main-server-group"> </server> </servers> </host>
The start of the master works fine.
The start of the slave failed:
11:16:23,406 INFO [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6 11:16:23,593 INFO [org.jboss.as.process.Host Controller.status] (main) JBAS012017: Starting process 'Host Controller' [Host Controller] 11:16:23,891 INFO [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6 [Host Controller] 11:16:24,307 INFO [org.jboss.msc] (main) JBoss MSC version 1.0.1.GA [Host Controller] 11:16:24,398 INFO [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" starting [Host Controller] 11:16:25,208 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) Operation ("validate-authentication") failed - address: ([ [Host Controller] ("host" => "node01"), [Host Controller] ("core-service" => "management"), [Host Controller] ("security-realm" => "ServerRealm") [Host Controller] ]) - failure description: "JBAS015245: No authentication mechanism defined in security realm 'ServerRealm'." [Host Controller] 11:16:25,227 INFO [org.jboss.as] (Controller Boot Thread) JBoss AS (Host Controller) 7.1.0.CR1b "Flux Capacitor" started in 1548ms - Started 9 of 9 services (0 services are passive or on-demand) [Host Controller] 11:16:25,243 INFO [org.jboss.as] (MSC service thread 1-1) JBoss AS 7.1.0.CR1b "Flux Capacitor" stopped in 5ms [Host Controller] 11:16:25,235 ERROR [org.jboss.as.controller] (Controller Boot Thread) JBAS014601: Error booting the container: java.lang.IllegalArgumentException: Name segment is null [Host Controller] at org.jboss.msc.service.ServiceName.of(ServiceName.java:82) [jboss-msc-1.0.1.GA.jar:1.0.1.GA] [Host Controller] at org.jboss.msc.service.ServiceName.append(ServiceName.java:112) [jboss-msc-1.0.1.GA.jar:1.0.1.GA] [Host Controller] at org.jboss.as.host.controller.ServerInventoryService.install(ServerInventoryService.java:80) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b] [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:307) [jboss-as-host-controller-7.1.0.CR1b.jar:7.1.0.CR1b] [Host Controller] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:155) [jboss-as-controller-7.1.0.CR1b.jar:7.1.0.CR1b] [Host Controller] at java.lang.Thread.run(Thread.java:679) [:1.6.0_22] [Host Controller]
Can you help me? I think there is something wrong with the server-identities part of the the slave configuration.
regards
Klaus
Please have a look at the attached trace log of the master node. In particular this part:
12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) A2: AUTHENTICATE:remote/clustermanager.localdomain 12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58 12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(l�”!LN�`�V. �,�) = 6cecc294214c4ec26082562e1db62c97 12:04:06,867 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) H(A1): 7ca2b986315220da327a62d5acc28170 12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) KD: 7ca2b986315220da327a62d5acc28170:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58 12:04:06,868 TRACE [org.jboss.sasl.digest] (Remoting "master:MANAGEMENT" task-4) response-value: 0ba01b0f27322ec7f62276ea7fa8c8b7 12:04:06,868 TRACE [org.jboss.remoting.remote.server] (Remoting "master:MANAGEMENT" task-4) Server sending authentication rejected (javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response.)
there is something wrong with the password compare.
Similar on the slave:
12:04:07,608 TRACE [org.jboss.modules] (Remoting "endpoint" task-2) Defined class org.jboss.sasl.util.Charsets in Module "org.jboss.sasl:main" from local module loader @16aeea66 (roots: /opt/jboss-as/modules) 12:04:07,611 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) A2: AUTHENTICATE:remote/clustermanager.localdomain 12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) HEX(H(A2)): 94ae68b8547dc9a2f9656c69c3f23f58 12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(� {@4@�}3/v c |) = 86017b403440e17d332f76110563087c 12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) H(A1): 73b5c10e8ab7827b6c59e8e4fc111c64 12:04:07,617 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) KD: 73b5c10e8ab7827b6c59e8e4fc111c64:7r7UJTEQv8HNkCjPMOFzuM/ZpVTu5pJL2k1nY5q6:00000001:zellkoEsYPTUntcCILe22UmBhvC9viBZEHcAUyKV:auth:94ae68b8547dc9a2f9656c69c3f23f58 12:04:07,618 TRACE [org.jboss.sasl.digest] (Remoting "endpoint" task-2) response-value: c23013459d9c939aca4029c8485d5ae0 12:04:07,618 TRACE [org.jboss.remoting.remote.client] (Remoting "endpoint" task-2) Client sending authentication response 12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepting java.nio.HeapByteBuffer[pos=0 lim=278 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196] 12:04:07,618 TRACE [org.xnio.channels.framed] (Remoting "endpoint" task-2) Accepted a message into java.nio.HeapByteBuffer[pos=282 lim=8196 cap=8196]
greetings
Klaus
Change by Klaus Erber
Here comes a working configuration:
Master host.xml:
<host name="master" xmlns="urn:jboss:domain:1.1"> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> </security-realm> </security-realms> <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket interface="management" port="${jboss.management.http.port:9990}"/> </http-interface> </management-interfaces> </management> <domain-controller> <local/> </domain-controller> <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:10.0.0.10}"/> </interface> <interface name="public"> <inet-address value="${jboss.bind.address:127.0.0.1}"/> </interface> </interfaces> <jvms> <jvm name="default"> <heap size="64m" max-size="256m"/> </jvm> </jvms> <servers> </servers> </host>
User in mgmt-users.properties (created with add-user.sh script in ManagementRealm, password is 'laBadmin.6'):
node01=d0114fbcb7421cb836ae551cf054d5a7
Slave host.xml:
<host name="node01" xmlns="urn:jboss:domain:1.1"> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> <server-identities> <secret value="bGFCYWRtaW4uNg==" /> </server-identities> </security-realm> </security-realms> <management-interfaces> <native-interface> <socket interface="management" port="${jboss.management.native.port:9999}"/> </native-interface> </management-interfaces> </management> <domain-controller> <remote host="10.0.0.10" port="9999" security-realm="ManagementRealm" /> </domain-controller> <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:10.0.0.11}"/> </interface> <interface name="public"> <inet-address value="${jboss.bind.address:0.0.0.0}"/> </interface> </interfaces> <jvms> <jvm name="default"> <heap size="64m" max-size="256m"/> </jvm> </jvms> <servers> <server name="server-one" group="main-server-group"> </server> </servers> </host>
Note the value of the secret, it is the base64 encoded password 'laBadmin.6'.
You can do that on http://www.motobit.com/util/base64-decoder-encoder.asp
Changed by Klaus Erber