6 Replies Latest reply on Apr 20, 2018 7:17 PM by Vamshi Krishna

    jboss cli without specifying username/password

    Chris LaMendola Newbie

      Is there a way to run the ./jboss-cli.sh script and have it read the username/password from a properties file? Basically I want to do ./jboss-cli.sh --controller=<DC_fqdn:port> --properties=user.properties, where user.properties is a file that has a username & hashed password.

       

      The RedHat documentation I've found so far hasn't specific how to do this, and I don't see how else to execute cli scripts remotely. If there's another way of accomplishing this, I'd love to know...

       

       

      Thanks!

        • 1. Re: jboss cli without specifying username/password
          Darran Lofthouse Master

          Not via properties no.

           

          Double check the jboss-cli.xml I think we had some options there to specify a username and password including vault integration at some point but it would need checking to see which versions it was added to.

           

          Alternatively using anything from WildFly 11 onwards WildFly Elytron has been integrated so the CLI can be used for a full Elytron authentication client configuration including credential store integration for usernames and passwords.

           

          There are other options also available, you could enable CLIENT_CERT style authentication so unattended clients can authenticate using certificates instead of usernames and passwords, this can be enabled in parallel to still supporting username / password authentication for administrators.

          • 2. Re: jboss cli without specifying username/password
            Prageetika Sharma Newbie

            Its not possible to pass password from any property file while executing CLI command through jboss-cli.sh script. But, you can use custom shell script which will read password from properties file and use that password in cli command for authentication.

             

            You can use script something similar to below :

             

            =========

            #!/bin/sh

             

            #Read properties file.

            getProperty()

            {

              property_key="admin"

              property_value=`cat /abc/users.properties | grep ${property_key} | cut -d'=' -f2`

            }

             

            #define the management interface IP address. With default configuration management interface bound to localhost.

            JBOSS_IP= 127.0.0.1

            JBOSS_HOME="/path_to_jboss/"

            USER="admin"

             

            getProperty ${key}

            #echo "Property_value" $property_value

             

             

            $JBOSS_HOME/bin/jboss-cli.sh --connect controller=$JBOSS_IP:9990 --user=$USER --password=$property_value --command="/subsystem=logging:read-resource"

            =========

            • 3. Re: jboss cli without specifying username/password
              Chris LaMendola Newbie

              Hey Darran,

               

              Thanks for the reply. Technically this is for EAP 7.1.1. Does this info still apply? CLIENT_CERT is out of the question since I need to tie any config changes to an actual user.

               

              I realize this forum is for AS, but to be honest I haven't found anything yet for EAP and I don't want to open a case just for this.. 90% of the stuff on Google for Jboss seems to be AS related, and any documentation I do find for EAP is not very helpful.

              • 4. Re: jboss cli without specifying username/password
                Darran Lofthouse Master

                As this is for EAP 7.1.1 I would suggest you do open a support case, this is the kind of situation our support team should be able to assist you with.

                 

                But to answer your question, yes WildFly Elytron was integrated in EAP 7.1.0.GA so the WildFly Elytron authentication client configuration is an option for the CLI.  The client side configuration is independent of the server side configuration so you can start to use the new configuration on the client even if the server side is still using the legacy security realms.

                 

                FYI even with CLIENT_CERT auth we can still map certificates to individuals, this does get easier with WildFly Elytron server side configuration as we have more flexibility but as I say a solution exists for your original problem to store the username and password in a configuration file to avoid the need for prompts and user interaction when executing scripts.

                • 5. Re: jboss cli without specifying username/password
                  Chris LaMendola Newbie

                  Good deal. I'll take a look at the Elytron config and see what I can do.

                   

                  Thanks for the help!

                  • 6. Re: jboss cli without specifying username/password
                    Vamshi Krishna Newbie

                    You don’t need to pass any arguments in order to connect to jboss-cli except for connect. (./jbos-cli.sh -c) you can customize the jbos-cli.xml to not ask for controller and IP address information.

                     

                    What does your cli.xml look like ?