6 Replies Latest reply on Nov 1, 2018 2:15 AM by Martin Choma

    https-remoting with customized TrustManager broken after upgrade to WildFly 11?

    yashendra chandrakar Newbie

      We are securing http-remoting by using self-signed certificate and our custom TrustManager. To point to our TrustManager and truststore dynamically at wildfly start, we have following code in a startup ejb class:

       

      Security.addProvider(new MySecurityProvider());          

      Security.setProperty("ssl.KeyManagerFactory.algorithm", ......);

      Security.setProperty("ssl.TrustManagerFactory.algorithm", .....);

      System.setProperty("javax.net.ssl.keyStoreType", .....);

      System.setProperty("javax.net.ssl.trustStoreType", .....);

       

      It all work fine with WindFly 10 and it uses out trustmanager but exectly same code and configuration doesnt work with WildFly 11.

      Despite setting all the system and security properties mentioned above, WildFly 11 uses default JKS truststore and jdk's default jre\lib\security\cacerts file.

      It appear the subsystem from WildFly 11(and WildFly 12) doesn't honor the system and security properties settings above?

       

      WildFly will point to my truststore file if I have specified trust-store-path as part of http-acceptor

      <http-acceptor name="http-acceptor" http-listener="default-ssl">

         <!-- Despite setting system property javax.net.ssl.trustStoreType at startup, wildfly 11 and later useses JKS truststore and default jre\lib\security\cacerts-->
         <param name="trust-store-path" value="${jboss.server.config.dir}/keystore.jks"/>

         <param name="trust-store-password" value="......"/>

      </http-acceptor>

       

      But I want it to point to my TrustManagerFactory, and TrustManager.

       

      Any help is appreciated.

      This is the stacktrace from WildFly 12

       

      javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.net.ssl.SSLHandshakeException: General SSLEngine problem]

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)

      at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:105)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)

      at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)

      at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:222)

      at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)

      at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)

      at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)

      at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)

      at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)

      at javax.naming.InitialContext.lookup(InitialContext.java:417)

      at javax.naming.InitialContext.lookup(InitialContext.java:417)

      ...........

      ...........

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:498)

      at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)

      at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90)

      at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101)

      at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)

      at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:273)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:330)

      at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:238)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)

      at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73)

      at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)

      at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)

      at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)

      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)

      at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)

      at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)

      ...............

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      at java.lang.reflect.Method.invoke(Method.java:498)

      at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:433)

      at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:127)

      at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56)

      at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:67)

      at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100)

      ......................

      at java.util.concurrent.Executors$RunnableAdapter.call$$$capture(Executors.java:511)

      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)

      at java.util.concurrent.FutureTask.run$$$capture(FutureTask.java:266)

      at java.util.concurrent.FutureTask.run(FutureTask.java)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      at java.lang.Thread.run(Thread.java:748)

      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)

      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)

      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)

      at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)

      at org.xnio.ssl.JsseSslConduitEngine.engineWrap(JsseSslConduitEngine.java:353)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:310)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)

      at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)

      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

      at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)

      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)

      at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      at ...asynchronous invocation...(Unknown Source)

      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:570)

      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:536)

      at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)

      at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)

      at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:487)

      at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:433)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)

      at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)

      ... 93 more

      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)

      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)

      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)

      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)

      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

      at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)

      at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)

      at java.security.AccessController.doPrivileged(Native Method)

      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)

      at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)

      at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)

      at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)

      at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)

      at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)

      at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

      at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)

      at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)

      at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

      at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

      at sun.security.validator.Validator.validate(Validator.java:262)

      at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)

      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)

      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)

      ... 18 more