1 Reply Latest reply on Feb 24, 2014 1:30 PM by wdfink

Authentication problems in remote ejb call from clustered app to non-clustered app

danielnuss Jan 30, 2014 9:30 AM

Edit: I moved this discussion to JBoss AS 7 Development because i got no answers in the EAP project and i don't think that this is EAP-related. Rather i think i misunderstand something fundamental when making an EJB remote call from an applicaton deployed in a clustered environment to a non-clustered JBoss instance. Any help would be greatly appreciated.

I have the following setup:

- clustered application, deployed on two JBoss EAP 6.1 cluster standalone instances on two separate machines

- clustered stateless session bean

- remote connection to a third, non-clustered JBoss EAP 6.1, running on the first of the two mentioned physical machines

- jboss-ejb-client.xml:

    <ejb-receivers>
      <remoting-ejb-receiver outbound-connection-ref="remote-connection-name" />
    </ejb-receivers>

which references a defined remote connection inside standalone-full-ha.xml:

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
    <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
    <outbound-connections>
    <remote-outbound-connection name="remote-connection-name" outbound-socket-binding-ref="remote-connection" username="user_of_remote_connection" security-realm="security_realm_of_remote_connection">
        <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
        <property name="SSL_ENABLED" value="false"/>
        </properties>
    </remote-outbound-connection>
    </outbound-connections>
</subsystem>

security realm for remote connection:

<management>
    ....
    <security-realms>
        <security-realm name="security_realm_of_remote_connection">
            <server-identities>
                <secret value="someSecretValue...="/>
            </server-identities>
        </security-realm>
    </security-realms>
</management>

security-domain for ejb:

<subsystem xmlns="urn:jboss:domain:security:1.2">
  <security-domains>
      ...
      <security-domain name="jboss-ejb-policy" cache-type="default">
      <authorization>
          <policy-module code="Delegating" flag="required"/>
      </authorization>
      </security-domain>
  <security-domains>
</subsystem>

When i deploy the application on both JBoss instances, i get the following error:

10:13:18,236 ERROR [org.jboss.remoting.remote.connection] (Remoting "apps1-live" read-1) JBREM000200: Remote connection failed: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
10:13:18,239 INFO  [org.jboss.as.ejb3.remote.RemotingConnectionClusterNodeManager] (ejb-client-cluster-node-connection-creation-5-thread-3) Could not create a connection for cluster node apps2-live in cluster ejb: java.lang.RuntimeException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

when i add the following to jboss-ejb-client.xml (like described in AS7 clustering and remote outbound connection issue):

    <clusters>
      <cluster name="ejb" security-realm="security_realm_of_remote_connection" username="user_of_remote_connection" >
        <connection-creation-options>
          <property name="org.xnio.Options.SSL_ENABLED" value="false" />
          <property name="org.xnio.Options.SASL_POLICY_NOANONYMOUS" value="false" />
        </connection-creation-options>
      </cluster>
    </clusters>

i get the following error:

12:42:28,420 ERROR [org.jboss.remoting.remote.connection] (Remoting "apps1-live" read-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
12:42:28,422 INFO  [org.jboss.as.ejb3.remote.RemotingConnectionClusterNodeManager] (ejb-client-cluster-node-connection-creation-4-thread-3) Could not create a connection for cluster node apps2-live in cluster ejb: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

However, the clustered stateless session bean is not even using the defined remote connection!

When i deploy the application without making any stateless session bean clustered, the error does not occur, it happens in the moment i deploy the application (with clustered stateless session bean) on the second JBoss instance.

I am aware of the fact i have to configure a remote connection from a non-clustered JBoss (which serves as a kind of client in this scenario) to a clustered EJB - but in my opinion in my case it is the other way round, i want to make a remote EJB call from the clustered application to another, non-clustered application.

Can someone explain me what is going on here? How can i define the authentication for this kind of ejb remote call cluster configuration?

Edit: It seems as if the two cluster nodes want to communicate to each other while deployment and as something goes wrong when they are trying to do so. It doesn't matter (what means i get exactly the same results) if i change the host of the outbound-socket-binding to sth. meaningless, like:

<outbound-socket-binding name="remote-connection">
  <remote-destination host="abcdefgh" port="11447"/>
</outbound-socket-binding>

1. Re: Authentication problems in remote ejb call from clustered app to non-clustered app

wdfink Feb 24, 2014 1:30 PM (in response to danielnuss)

If the target EJB is deployed as non-clustered there is no need to add the <clusters><cluster> elemtents.
The reason here is that the self reference cluster node apps2-live in cluster ejb is a cluster and therefore the configuration is needed for this.
But if there is no need to invoke EJB's via remote-interface in the own cluster it is possible to exclude this from the ejb-client-context by using
<ejb-receivers exclude-local-receiver="true">
within the jboss-ejb-client.xml configuration
Actions