2 Replies Latest reply on Oct 22, 2018 10:02 AM by yashendra chandrakar

    https-remoting with customized TrustManager broken after upgrade to WildFly 11?

    yashendra chandrakar Newbie

      We are securing http-remoting by using self-signed certificate and our custom TrustManager. To point to our TrustManager and truststore dynamically at wildfly start, we have following code in a startup ejb class:

       

      Security.addProvider(new MySecurityProvider());          

      Security.setProperty("ssl.KeyManagerFactory.algorithm", ......);

      Security.setProperty("ssl.TrustManagerFactory.algorithm", .....);

      System.setProperty("javax.net.ssl.keyStoreType", .....);

      System.setProperty("javax.net.ssl.trustStoreType", .....);

       

      It all work fine with WindFly 10 and it uses out trustmanager but exectly same code and configuration doesnt work with WildFly 11.

      Despite setting all the system and security properties mentioned above, WildFly 11 uses default JKS truststore and jdk's default jre\lib\security\cacerts file.

      It appear the subsystem from WildFly 11(and WildFly 12) doesn't honor the system and security properties settings above?

       

      WildFly will point to my truststore file if I have specified trust-store-path as part of http-acceptor

      <http-acceptor name="http-acceptor" http-listener="default-ssl">

         <!-- Despite setting system property javax.net.ssl.trustStoreType at startup, wildfly 11 and later useses JKS truststore and default jre\lib\security\cacerts-->
         <param name="trust-store-path" value="${jboss.server.config.dir}/keystore.jks"/>

         <param name="trust-store-password" value="......"/>

      </http-acceptor>

       

      But I want it to point to my TrustManagerFactory, and TrustManager.

       

      Any help is appreciated.

      This is the stacktrace from WildFly 12

       

      javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: General SSLEngine problem]

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)

      at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:105)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)

      at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)

      at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:222)

      at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)

      at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)

      at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)

      at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)

      at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)

      at javax.naming.InitialContext.lookup(InitialContext.java:417)

      at javax.naming.InitialContext.lookup(InitialContext.java:417)

      ...........

      ...........

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:498)

      at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)

      at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90)

      at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101)

      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)

      at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:273)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:330)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:238)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)

      at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)

      at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)

      at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)

      at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)

      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)

      at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)

      at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)

      ...............

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:498)

      at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:433)

      at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:127)

      at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56)

      at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:67)

      at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100)

      ......................

      at java.util.concurrent.Executors$RunnableAdapter.call$$$capture(Executors.java:511)

      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)

      at java.util.concurrent.FutureTask.run$$$capture(FutureTask.java:266)

      at java.util.concurrent.FutureTask.run(FutureTask.java)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      at java.lang.Thread.run(Thread.java:748)

      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)

      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)

      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)

      at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)

      at org.xnio.ssl.JsseSslConduitEngine.engineWrap(JsseSslConduitEngine.java:353)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:310)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)

      at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)

      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

      at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)

      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)

      at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      at ...asynchronous invocation...(Unknown Source)

      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:570)

      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:536)

      at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)

      at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)

      at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:487)

      at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:433)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)

      ... 93 more

      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)

      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)

      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

      at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)

      at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)

      at java.security.AccessController.doPrivileged(Native Method)

      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)

      at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)

      at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)

      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

      at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)

      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)

      at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

      at sun.security.validator.Validator.validate(Validator.java:262)

      at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)

      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)

      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)

      ... 18 more

        • 1. Re: https-remoting with customized TrustManager broken after upgrade to WildFly 11?
          Martin Choma Master

          1. What if you try to set properties in standalone.conf. Subsystem is initialized earlier then ejb, so we can eliminate option that SSLContext is created early.

          2. Elytron does provide way of registering custom trust manager. If Elytron ssl context can be registered in your scenario (EJB?) then it can be alternate option.

          • 2. Re: https-remoting with customized TrustManager broken after upgrade to WildFly 11?
            yashendra chandrakar Newbie

            Thanks for suggestions Martin but nothing seems to be working so far.

            Wildfly does pickup my TrustManager rarely if I keep rebooting wildfly.

            It appear all truststore/trustmanager configurations in standalone-full.xml file are for file based keystore.

            I did find this example for configuring custom trustmanager on Elytron but configuration seems incomplete

            GitHub - hkalina/custom-trustmanager-elytron: Demo: Custom Trust Manager for WildFly (Elytron)

             

            Even specifying following param for http-connector and https-acceptor didn't help:

             

            <http-acceptor name="http-acceptor" http-listener="default-ssl">
               <param name="trust-store-path" value="${jboss.server.config.dir}/keystore.jks"/>

               <param name="trust-store-password" value="......"/>

            </http-acceptor>

             

            For now I am specifying my truststore file in standalone-full.xml under system-properties, but again this is not what I wanted. I wanted to use my  own trustmanager so that I can reload truststore dynamically if new certificate is added to truststore without restarting WildFly, also I wantetd to use database based truststore not file.

            <system-properties>

               <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/keystore.jks"/>

               <property name="javax.net.ssl.trustStorePassword" value="....."/>

            </system-properties>