2 Replies Latest reply on Jun 5, 2014 9:25 AM by Abhijeet Singh

    Domain-Slave certificate-based authentication

    Kristina Clair Newbie

      I am running JBoss EAP 6.0.1.GA (AS 7.1.3.Final-redhat-4) in domain mode.  The domain controller and slaves are running on separate servers.

       

      I'm trying to set up authentication through SSL certificates only between my domain controller and slaves, but then authentication is not working.  I am using the self-signed certificates created by keytool.

       

      On the domain controller, I have the following keystores and keystore content:

       

          # /usr/java/jdk7/bin/keytool -list -keystore domain_controller.keystore.jks
      
          Keystore type: JKS
          Keystore provider: SUN
      
          Your keystore contains 1 entry
       
          master, Apr 24, 2013, PrivateKeyEntry, 
          Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5
      
          # /usr/java/jdk7/bin/keytool -list -keystore truststore.keystore.jks
      
          Keystore type: JKS
          Keystore provider: SUN
      
          Your keystore contains 2 entries
      
          master, Apr 24, 2013, trustedCertEntry, 
          Certificate fingerprint (SHA1): 42:A6:AA:6C:B4:1F:0F:18:B1:7B:BE:AF:7C:5F:4E:DD:F8:32:0A:A5
          slave1, Apr 24, 2013, trustedCertEntry, 
          Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10
      

       

      And the following in host.xml:

                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl>
                              <keystore alias="master" path="/my/path/to/domain_controller.keystore.jks" keystore-password="keystorepass"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <truststore path="/my/path/to/truststore.keystore.jks" password="truststorepass"/>
                      </authentication>
                  </security-realm>
                  ...
                  <native-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
      

       

      The domain controller and management interface on port 9999 start fine.

       

      On the slave, I have the identical truststore as on the master (containing both certs), and I have the following keystore and content:

       

          # /usr/java/jdk7/bin/keytool -list -keystore as.keystore.jks
      
          Keystore type: JKS
          Keystore provider: SUN
      
          Your keystore contains 1 entry
      
          slave1, Apr 24, 2013, PrivateKeyEntry,
          Certificate fingerprint (SHA1): 9C:34:44:B8:A1:2A:60:1F:DF:2D:70:40:50:14:72:34:AA:E7:43:10
      

       

      And the following configuration in host.xml:

                  <security-realm name="ManagementRealm">
                      <server-identities>
                          <ssl>
                              <keystore alias="slave1" path="/path/to/my/as.keystore.jks" keystore-password="keystorepass"/>
                          </ssl>
                      </server-identities>            
                      <authentication>
                          <truststore path="/path/to/my/truststore.keystore.jks" password="truststorepass"/>
                      </authentication>
                  </security-realm>
                  ...
              <management-interfaces>
                  <native-interface security-realm="ManagementRealm">
                      <socket interface="management" port="${jboss.management.native.port:9999}"/>
                  </native-interface>
              </management-interfaces>
             ...
          <domain-controller>
             <remote host="master" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
          </domain-controller>
      

       

      The slave is able to connect to port 9999 on the master, but then logs the following error:

       

      javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

       

      So I would assume that something is not set up correctly regarding the truststore, but I am not sure what....