2 Replies Latest reply on Jan 14, 2019 10:36 AM by gfo44

    Vault password in domain mode (JBoss EAP 7)

    gfo44

      Hi,

       

      I have a JBoss  EAP 7.0 in domain mode. I have a domain controller with several managed hosts.

      Considering that, I am trying to install "vault passwords".

       

      What I am currently doing (via Shell scripts):

      • create keystore + vault
      • put passwords in the vault
      • add the vault to the host configuration (via /host=<MYHOST>/core-service=vault:add)
      • add the vault to the host master configuration (via /host=master/core-service=vault:add)
        • => In the doc I didn't find any mention to that. Do we need to have vault conf in both hosts (domain controller and managed host) ?
      • push passwords to server groups, profiles, etc. (datasouces...)
      • try to start server-group
        • => I have a failure :

      /server-group=<MYSERVERGROUP>:start-servers

      {

          "outcome" => "failed",

          "failure-description" => {"host-failure-descriptions" => {"<MYHOST>" => "WFLYCTL0158: java.lang.SecurityException: WFLYSRV0228: security exception"}},

          "rolled-back" => true,

          "result" => {}

      }

        • I try to reload the configuration of my hosts as follow:

       

      /host=<MYHOST>:reload(use-current-host-config=true)

      /host=master:reload(use-current-host-config=true, use-current-domain-config=true)

       

        • after a while, my host <MYHOST> disepear in my domain controller (maybe because of the reload operation...) then nothing can work
          • => Do I need to reload my hosts to avoid "security exception"? If no, what can I do?

       

      Thanks a lot for your help.

      Regards

        • 1. Re: Vault password in domain mode (JBoss EAP 7)
          mchoma

          Seems like vault misconfiguration. There are several similar posts out there.

           

          Search for exception in log. Try to mage working some simple example - e.g. vault in standalone mode. When you will ensure vault configuration is ok. Try to use one vault password in domain mode. (Yes you need vault configuration on all controllers)

          • 2. Re: Vault password in domain mode (JBoss EAP 7)
            gfo44

            Hello,

            I still can't make it work.

             

            Can you please tell me if the following scenario seems good for you. Just an information before that, I am in domain mode. My master is installed and running. When I install my slaves, they push their configuration to the master. Then, for example, to install a slave, I need to run a bash script which will connect to the domain controller and execute JBoss command-line instruction.

             

            1/ During the installation of the domain controller, create the vault file.

            2/ Push the configuration to the domain controller (/host=master/core-service=vault:add[...])

            3/ During the installation of one of my slaves, create the vault file (a new one, not a duplication of the vault from the domain controller)

            4/ Push the configuration to the domain controller (/host=<MY SLAVE HOST>/core-service=vault:add[...])

            5/ Add passwords to my slaves vaults

            6/ Push passwords to my domain controller's vault (I run a bash script on my domain controller through a SSH connection, then my master keystore knows all the passwords and the slaves only passwords they need to know)

            7/ Push my vaults in my domain controller's configuration (for example: profile=SLAVE_PROFILE/subsystem=datasources/xa-data-source=MY_DS:write-attribute(name=password, value="${VAULT::vb::password::1}"))

            8/ I try to access my slave's app and I have this in logs:

             

            @

            ang.SecurityException: WFLYSRV0228: security exception

                    at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:118)

                    at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)

                    at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:331)

                    at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:240)

                    at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:142)

                    at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)

                    at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)

                    at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:580)

                    at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:539)

                    at org.jboss.as.host.controller.ManagedServerBootCmdFactory.resolveExpressions(ManagedServerBootCmdFactory.java:178)

                    at org.jboss.as.host.controller.ManagedServerBootCmdFactory.<init>(ManagedServerBootCmdFactory.java:105)

                    at org.jboss.as.domain.controller.operations.SyncServerStateOperationHandler$1.execute(SyncServerStateOperationHandler.java:93)

                    at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)

                    at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)

                    at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)

                    at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)

                    at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)

                    at org.jboss.as.controller.AbstractControllerService.internalExecute(AbstractControllerService.java:408)

                    at org.jboss.as.host.controller.DomainModelControllerService.access$900(DomainModelControllerService.java:179)

                    at org.jboss.as.host.controller.DomainModelControllerService$InternalExecutor.execute(DomainModelControllerService.java:1238)

                    at org.jboss.as.host.controller.RemoteDomainConnectionService.applyRemoteDomainModel(RemoteDomainConnectionService.java:572)

                    at org.jboss.as.host.controller.RemoteDomainConnectionService.access$1100(RemoteDomainConnectionService.java:131)

                    at org.jboss.as.host.controller.RemoteDomainConnectionService$2.applyDomainModel(RemoteDomainConnectionService.java:515)

                    at org.jboss.as.host.controller.RemoteDomainConnection.applyDomainModel(RemoteDomainConnection.java:311)

                    at org.jboss.as.host.controller.RemoteDomainConnection$RegisterSubsystemsRequest$1.execute(RemoteDomainConnection.java:454)

                    at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)

                    at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)

                    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

                    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

                    at java.lang.Thread.run(Thread.java:745)

                    at org.jboss.threads.JBossThread.run(JBossThread.java:320)

            Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer

                    at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)

                    at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:146)

                    at org.jboss.as.server.services.security.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:126)

                    at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:116)

                    ... 30 more

            Caused by: java.lang.IllegalArgumentException: Null input buffer

                    at javax.crypto.Cipher.doFinal(Cipher.java:2161)

                    at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)

                    at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)

                    ... 33 more

             

            9/ I have read that we need to restart the domain controller because if we add vaults "on the fly", they are not loaded in memory: so I restart my domain controller

            10/ Here, nothing works: my slave host configuration is gone (I can't do /host=<MY SLAVE HOST> anymore)

             

            Thanks for your help.

            Regards