0 Replies Latest reply on Jul 7, 2019 3:08 PM by Sam North

    Wildfly 16 Elytron 2-way SSL for mgmt interface in domain mode

    Sam North Newbie

      Hi folks,


      Having some problems trying to configure the above. My target configuration is to have the mgmt interface configured using 2 way SSL via Elytron such that the web based management console/jboss-cli is accessible via an LDAP login and slave hosts are authenticated by means of their certificate. I've read quite a lot of articles but I can't find a complete solution.  I haven't got as far as the LDAP aspect of it yet, I'm having problems trying to get my slave host to authenticate with the master. The error I'm getting on the slave host is:


      Caused by: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (DIGEST-MD5) are supported.


      To get this far I've had to modify the slave domain.bat slightly by adding my truststore to the startup otherwise I would get "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" errors as I'm only using self signed certs, although I would have thought my truststore definition to have prevented this.


      "-Djavax.net.ssl.trustStore=%JBOSS_HOME%\domain\configuration\truststore.jks" ^

      "-Djavax.net.ssl.trustStorePassword=truststore-password" ^

      "-Djavax.net.ssl.trustStoreType=PKCS12" ^


      I'm not sure why it thinks only "DIGEST-MD5" is the only auth mechanism given the x500-decoder is the first listed under my sasl-authentication-factory [client-cert-digest] as well having BASIC also listed.


      Any thoughts would be greatly appreciated.


      My config and the log files are attached.


      Some of the articles I've read to get me this far:


      wildfly-core/host-master-ssl-2way-elytron.xml at master · wildfly/wildfly-core · GitHub


      WildFly Elytron Security