2 Replies Latest reply on Apr 27, 2017 5:36 AM by nurubhas s

    host controller was not able to connect Domain controller After install the SSL in Management console.

    nurubhas s Newbie

      Hi All,

       

      I have faced small issue in my Jboss EAP environment, After configuring SSL for Management console.

       

      I have two VM'S (RHE Linux 6.4).names as

       

      1) Server1.example.com

      2) Server2.example.com

       

       

           I have installed JbossEAP 6.3 in Server1 and Server2 , I have choosen Server1 as Domain controller & Server2  as a Slave Machine.

       

           I have configured domain & host.xml files. So both server1 & server2 running as horizontal cluster setup without any trouble & I have test cluster functionality as well.

       

      Issue came here:

       

      I have installed a self signed certificate for Management console in Server1 & it is accessible with https://Server1IP:9443 without failure

       

      when i am starting host controller process in Slave Machine(server2)... getting some exception related to SSL failure.

       

      Reason: Slave machine is not able to communicate domain controller after install the SSL certificates for management console.

       

      ERROr

      [Host Controller ]  JBAS010900 : Could not connect to remote domain controller at remote://remoteIP:9999 -- java.lang.IllegalStateException : JBAS016509: Unable to connect due to SSL failure.

       

      I am sharing here keystore details :

       

      [jbossas@server1 configuration]$ keytool -list -keystore domain.jks

      Enter keystore password:

      Keystore type: JKS

      Keystore provider: SUN

      Your keystore contains 3 entries

      slave2, Apr 26, 2017, trustedCertEntry,

      Certificate fingerprint (SHA1): F0:D9:44:2D:CA:25:1D:F5:65:7C:58:27:21:35:D7:62:ED:C7:45:A7

      slave1, Apr 26, 2017, trustedCertEntry,

      Certificate fingerprint (SHA1): 9B:91:C8:DF:20:D6:60:A0:28:F4:48:D8:37:72:95:68:FD:68:F1:59

      domain, Apr 26, 2017, PrivateKeyEntry,

      Certificate fingerprint (SHA1): B9:91:37:99:48:DC:B5:C3:94:1E:6D:86:AB:A8:66:E3:AB:34:31:58

       

       

      [jbossas@server1 configuration]$ keytool -list -keystore slave1.jks

      Enter keystore password:

      Keystore type: JKS

      Keystore provider: SUN

      Your keystore contains 2 entries

      slave1, Apr 26, 2017, PrivateKeyEntry,

      Certificate fingerprint (SHA1): 9B:91:C8:DF:20:D6:60:A0:28:F4:48:D8:37:72:95:68:FD:68:F1:59

      domain, Apr 26, 2017, trustedCertEntry,

      Certificate fingerprint (SHA1): B9:91:37:99:48:DC:B5:C3:94:1E:6D:86:AB:A8:66:E3:AB:34:31:58

       

       

      Domain Controller-- host.xml

       

      <security-realm name="ManagementRealm">

                  <server-identities>

                  <ssl>

                      <keystore path="/opt/jboss/jboss-eap-6.3/domain/configuration/domain.jks" keystore-password="password" alias="domain"/>

                      </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="domain.jks" keystore-password="password" />

                          <local default-user="$local" skip-group-loading="true"/>

                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

                      </authentication>

                      <authorization map-groups-to-roles="false">

                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>

                      </authorization>

       

      And in slave machine I have copied the domain.jks & slave1.jks certificates to slave(server2 machine) same path & I have configured the same in slave host.xml

      In slave1 host.xml file contains below configuration

       

      <security-realm name="ManagementRealm">
        
      <server-identities>

           <secret value="base 64 secret value generated at the time of slave user creation" />
        
      <ssl>
        <keystore path="
      slave1.jks" keystore-password="password" alias="slave1"/>
        
      </ssl>
        
      </server-identities>
          

      <authentication>

               <truststore path="/opt/jboss/jboss-eap-6.3/domain/configuration/domain.jks" keystore-password="password" relative-to="jboss.domain.config.dir" />

                <local default-user="$local" skip-group-loading="true"/>

                 <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

      </authentication>

       

       

      if I am not installed SSL certificate on Management console, everything going well... when i configured SSL for management console problem occurred.

       

      Can you please suggest me... what other configuration required in slave host.xml file to communicate domain controller process over SSL.

        • 1. Re: host controller was not able to connect Domain controller After install the SSL in Management console.
          Ken Wills Newbie

          I can make this happen if I don't provide a truststore on the client, but something like the below works fine. You'd want this to be the same on the master & slave.

           

                    <security-realm name="CertificateRealm">

                          <server-identities>

                              <ssl>

                                  <keystore path="/ssl/configuration/server.keystore" keystore-password="#####" alias="server"/>

                              </ssl>

                          </server-identities>

                          <authentication>

                              <truststore path="/ssl/configuration/server.truststore" keystore-password="#####"/>

                              <local default-user="$local"/>

                              <properties path="/ssl/configuration/users.properties"/>

                          </authentication>

                      </security-realm>

           

          Then you also need to ensure that the realm being referenced in the slaves domain-controller element also matches.

           

          See here for more info (this is for EAP7, so just ignore any references to protocol, the 6.3 domain connector doesn't support that)

           

          Chapter 3. Securing a Managed Domain - Red Hat Customer Portal

          • 2. Re: host controller was not able to connect Domain controller After install the SSL in Management console.
            nurubhas s Newbie

            Hi Ken,

             

            I have not created any new Security Realm like as Management. I have configured all certificates within the Management realm.

             

            any how.. Issue has been resolved.

             

            Actions has been taken as like below.

             

            I have given complete Certificate path in slave host.xml , After that I have restarted..,,seems they connected to Domain controller.

             

            like as below.

             

            <ssl>
              <keystore path=
            "/opt/jboss/jboss-eap-6.3/domain/configuration/slave1.jks" keystore-password="password" alias="slave1"/>
              
            </ssl> 

             

             

             

             

             

             

             

            Thanks for suggestion