3 Replies Latest reply on Jul 27, 2013 10:05 PM by Claudio Miranda

    jboss remoting fails to authenticate to second server

    Claudio Miranda Apprentice

      Hi, there are two servers for the same host controller, war. deployed on server-one, ejb deployed on server-two. Both are configured with remoting outbound connections, but it fails

       

      10:14:55,112 ERROR [org.jboss.remoting.remote.connection] (Remoting "master:server-one" read-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      10:14:55,113 TRACE [org.jboss.remoting.endpoint] (Remoting "master:server-one" read-1) Registered exception result: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:344) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:227) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:180) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

              at org.xnio.nio.NioHandle.run(NioHandle.java:90)

              at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

       

       

      remoting log shows, see bold message below

       

      10:14:55,085 INFO  [stdout] (http-localhost.localdomain/127.0.0.1:8080-1) ejb: Proxy for remote EJB StatelessEJBLocator{appName='', moduleName='jboss-as-propagation-ejb', distinctName='', beanName='HelloEJB', view='interface org.jboss.as.quickstarts.ejb_security.Hello'}

      10:14:55,086 TRACE [org.jboss.remoting.endpoint] (ejb-client-context-tasks-5-thread-1) Allocated tick to 3 of endpoint "master:server-one" <1b08a24b> (opened Connection to /127.0.0.1:4597)

      10:14:55,087 TRACE [org.jboss.remoting.remote] (ejb-client-context-tasks-5-thread-1) Attempting to connect to "/127.0.0.1:4597" with options {org.xnio.Options.SASL_DISALLOWED_MECHANISMS=>[JBOSS-LOCAL-USER],org.xnio.Options.SASL_POLICY_NOPLAINTEXT=>false,org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false,org.xnio.Options.SSL_ENABLED=>true,org.xnio.Options.SSL_STARTTLS=>true}

      10:14:55,091 TRACE [org.jboss.remoting.remote] (Remoting "master:server-one" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting@3f76b3c4

      10:14:55,092 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Received java.nio.HeapByteBuffer[pos=24 lim=8192 cap=8192]

      10:14:55,092 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received greeting

      10:14:55,092 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received server name: localhost.localdomain

      10:14:55,092 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client sending capabilities request

      10:14:55,093 TRACE [org.jboss.remoting.remote] (Remoting "master:server-one" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@a142969

      10:14:55,093 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" read-1) Sent message java.nio.HeapByteBuffer[pos=45 lim=45 cap=8192] (direct)

      10:14:55,093 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" read-1) Flushed channel (direct)

      10:14:55,096 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capabilities response

      10:14:55,096 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: version 1

      10:14:55,097 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: remote endpoint name "master:server-two"

      10:14:55,097 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: SASL mechanism JBOSS-LOCAL-USER

      10:14:55,097 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: SASL mechanism DIGEST-MD5

      10:14:55,097 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) SASL mechanism DIGEST-MD5 added to allowed set

      10:14:55,098 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: message close protocol supported

      10:14:55,098 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: remote version is "3.2.16.GA-redhat-1"

      10:14:55,100 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client initiating authentication using mechanism DIGEST-MD5

      10:14:55,101 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" task-3) Sent message java.nio.HeapByteBuffer[pos=12 lim=12 cap=8192] (direct)

      10:14:55,101 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" task-3) Flushed channel (direct)

      10:14:55,101 TRACE [org.jboss.remoting.remote] (Remoting "master:server-one" task-3) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication@7b750dd2

      10:14:55,103 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received authentication challenge

      10:14:55,104 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" task-4) Client sending authentication response

      10:14:55,105 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" task-4) Sent message java.nio.HeapByteBuffer[pos=277 lim=277 cap=8192] (direct)

      10:14:55,105 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" task-4) Flushed channel (direct)

      10:14:55,106 DEBUG [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received authentication rejected for mechanism DIGEST-MD5

      10:14:55,106 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client sending capabilities request

      10:14:55,107 TRACE [org.jboss.remoting.remote] (Remoting "master:server-one" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@41de9550

      10:14:55,107 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" read-1) Sent message java.nio.HeapByteBuffer[pos=45 lim=45 cap=8192] (direct)

      10:14:55,107 TRACE [org.jboss.remoting.remote.connection] (Remoting "master:server-one" read-1) Flushed channel (direct)

      10:14:55,110 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capabilities response

      10:14:55,110 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: version 1

      10:14:55,110 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: remote endpoint name "master:server-two"

      10:14:55,110 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: SASL mechanism JBOSS-LOCAL-USER

      10:14:55,111 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: SASL mechanism DIGEST-MD5

      10:14:55,111 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: message close protocol supported

      10:14:55,111 TRACE [org.jboss.remoting.remote.client] (Remoting "master:server-one" read-1) Client received capability: remote version is "3.2.16.GA-redhat-1"

       

      The relevant settings are provided below, can you see anything in need to a fix ?

      The server is EAP 6.1. There is no commercial subscription, this is only development mode.

       

      profile "full", where war is deployed

       

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

          <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

          <outbound-connections>

              <remote-outbound-connection name="ejb-outbound-connection" outbound-socket-binding-ref="srv2srv-ejb-socket" username="ejbcaller" security-realm="ejb-remote-call">

                  <properties>

                      <property name="SSL_ENABLED" value="false"/>

                  </properties>

              </remote-outbound-connection>

          </outbound-connections>

      </subsystem>

      socket binding associated to the "full" profile

       

       

      <socket-binding-group name="full-sockets" default-interface="public">

          <socket-binding name="ajp" port="8009"/>

          <socket-binding name="http" port="8080"/>

          <socket-binding name="https" port="8443"/>

          <socket-binding name="jacorb" interface="unsecure" port="3528"/>

          <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>

          <socket-binding name="messaging" port="5445"/>

          <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>

          <socket-binding name="messaging-throughput" port="5455"/>

          <socket-binding name="remoting" port="4447"/>

          <socket-binding name="txn-recovery-environment" port="4712"/>

          <socket-binding name="txn-status-manager" port="4713"/>

          <outbound-socket-binding name="mail-smtp">

              <remote-destination host="localhost" port="25"/>

          </outbound-socket-binding>

          <outbound-socket-binding name="srv2srv-ejb-socket">

              <remote-destination host="localhost" port="4597"/>

          </outbound-socket-binding>

      </socket-binding-group>

       

       

      host.xml

       

       

      <security-realms>

          ....

          <security-realm name="ejb-remote-call">

              <server-identities>

                  <secret value="QGFkbWluMTIz"/>

              </server-identities>

          </security-realm>

      </security-realms>

       

       

      WAR application WEB-INF/jboss-ejb-client.xml

       

       

      <jboss-ejb-client xmlns="urn:jboss:ejb-client:1.2">

          <client-context>

              <ejb-receivers exclude-local-receiver="true">

                  <remoting-ejb-receiver outbound-connection-ref="ejb-outbound-connection"/>

              </ejb-receivers>

          </client-context>

      </jboss-ejb-client>

       

      Claudio

        • 1. Re: jboss remoting fails to authenticate to second server
          Claudio Miranda Apprentice

          remoting subsystem of "full" profile

           

          <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                          <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
                          <outbound-connections>
                              <remote-outbound-connection name="ejb-outbound-connection" outbound-socket-binding-ref="srv2srv-ejb-socket" username="ejbcaller" security-realm="ejb-remote-call">
                                  <properties>
                                      <property name="SSL_ENABLED" value="false"/>
                                  </properties>
                              </remote-outbound-connection>
                          </outbound-connections>
                      </subsystem>
          

           

           

          host.xml security realm

           

           

          <security-realm name="ejb-remote-call">
                          <server-identities>
                              <secret value="QGFkbWluMTIz"/>
                          </server-identities>
                      </security-realm>
          

           

          socket binding

           

           

          <socket-binding-group name="full-sockets" default-interface="public">
                      <socket-binding name="ajp" port="8009"/>
                      <socket-binding name="http" port="8080"/>
                      <socket-binding name="https" port="8443"/>
                      <socket-binding name="jacorb" interface="unsecure" port="3528"/>
                      <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
                      <socket-binding name="messaging" port="5445"/>
                      <socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
                      <socket-binding name="messaging-throughput" port="5455"/>
                      <socket-binding name="remoting" port="4447"/>
                      <socket-binding name="txn-recovery-environment" port="4712"/>
                      <socket-binding name="txn-status-manager" port="4713"/>
                      <outbound-socket-binding name="mail-smtp">
                          <remote-destination host="localhost" port="25"/>
                      </outbound-socket-binding>
                      <outbound-socket-binding name="srv2srv-ejb-socket">
                          <remote-destination host="localhost" port="4597"/>
                      </outbound-socket-binding>
                  </socket-binding-group>
          
          • 2. Re: jboss remoting fails to authenticate to second server
            Claudio Miranda Apprentice

            Added the following property to remote-outbound-connection, but fails the same error

             

             

            <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
            
            • 3. Re: jboss remoting fails to authenticate to second server
              Claudio Miranda Apprentice

              Solved the issue. The HEX password at application-users.properties was wrong. Now let me explain why it was wrong, perhaps helps others.

               

              When I started configuring this domain, add-user.sh was invoked to create the user ejbcaller, however after some days I just forgot what was the password, so I invoked add-user.sh again and typed a different username, then I went to the file and renamed whatever username to ejbcaller.

               

              The password format is explained in add-user.sh script

              # The format of this realm is as follows: -

              # username=HEX( MD5( username ':' realm ':' password))

               

              Also you can invoke

               

              java -classpath /opt/jboss-eap-6.1/modules/system/layers/base/org/jboss/sasl/main/jboss-sasl-1.0.3.Final-redhat-1.jar org/jboss/sasl/util/UsernamePasswordHashUtil <username> [realm name] <password>

               

              That is, check the password, jboss will not tell you if the password is wrong.

               

              Claudio