2 Replies Latest reply on Apr 17, 2018 7:52 AM by Jorith van den Heuvel

    Active-mq messaging with elytron on wildfly 11

    Nikhil Bhaskar Newbie

      We are currently migrating from wildfly 10 to wildfly 11.

       

      We currently have passwords stored in vault and we are accessing as below for active mq.

       

      <subsystem xmlns="urn:jboss:domain:messaging-activemq:2.0">

      <server name="default">

      ....

      <http-connector name="http-connector" endpoint="http-acceptor" socket-binding="httpsamq">

      <param name="ssl-enabled" value="true"/>

      <param name="keyStorePath" value="${jboss.server.config.dir}\keystoreName/>

      <param name="keyStorePassword" value="${VAULT::ssl::key-pass::1}"/>

      </http-connector>

      ...

      ...

      <http-acceptor name="http-acceptor" http-listener="httpsamq">

      <param name="ssl-enabled" value="true"/>

      <param name="keyStorePath" value="${jboss.server.config.dir}\keystoreName"/>

      <param name="keyStorePassword" value="${VAULT::ssl::ssl-pass::1}"/>

      </http-acceptor> 

      ...

      ...

      </server>

      </subsystem>

       

      We are getting rid of vault, so we have started to migrate to elytron. We have created credential-store and added a password with an alias keystore-password into it . 

      What i need to know is is there a way for me to retrieve and use the keyStorePassword from elytron credential-store instead of vault. What are my options here?

      Is there any documentation i can check?.

       

        • 1. Re: Active-mq messaging with elytron on wildfly 11
          Martin Choma Master

          Credential store strings can be currently used only in specialized "credential-reference" attributes. keyStorePassword is not such case.

           

          This is known issue as Elytron integration in this area is not complete.See https://issues.jboss.org/browse/EAP7-683

          http-acceptor part can be solved by configuring Undertow using Elytron ssl context which is aware of credential store.

           

          Can you elaborate your use case. Are you trying to configure 2-way SSL between client and server? Where is your client located? Is it in same WF instance/another WF instance/standalone app? What are you expecting vault role is here? Most probably vault expression is resolved at server boot and client gets object with plain password over network, anyway.

          • 2. Re: Active-mq messaging with elytron on wildfly 11
            Jorith van den Heuvel Newbie

            We have a similar issue regarding a Websphere MQ resource adapter. Our current configuration looks like below:

             

            <subsystem xmlns="urn:jboss:domain:resource-adapters:5.0">

                <resource-adapters>

                    <resource-adapter id="wmq.jmsra.rar">

                        <archive>

                            wmq.jmsra.rar

                        </archive>

                        <transaction-support>LocalTransaction</transaction-support>

                        ...

                        <connection-definitions>

                            <connection-definition class-name="com.ibm.mq.connector.outbound.ManagedConnectionFactoryImpl" jndi-name="java:/jboss/jms/wmq/connectionFactory" use-java-context="true" pool-name="MQConnectionFactoryPool">

                                ...

                                <config-property name="password">

                                    ${VAULT::some_vault::password_websphere_mq::1}

                                </config-property>

                                ...

                        </connection-definitions>

                    </resource-adapter>

                </resource-adapters>

            </subsystem>

             

            I think it's not possible to add a credential reference here instead of the VAULT string. Since I cannot view the EAP7-683 issue: will this use case be supported in a future version?