How to avoid javax.net.ssl.keyStore* in bin/standalone.conf

[AC]

Hello,

I would like to implement mutual TLS between Wildfly 26.1.3 and the datasource (MariaDB 10.11).

The only way I have been able to do so so far is:
* configuration of <tls> in standalone/configuration/standalone.xml, with appropriate key-stores, key-manager, trust-manager and client-ssl-context, as explained in the doc;
* AND passing the options -Djavax.net.ssl.trustStore, -Djavax.net.ssl.trustStorePassword, -Djavax.net.ssl.keyStore and -Djavax.net.ssl.keyStorePassword to the JVM, in the bin/standalone.conf file.

My question is: is there a way to do so, without the passing of the options to the JVM?

Indeed, it is great to use Elytron, not to have plain-text passwords in the standalone.xml file anymore. But, if those passwords have to remain in the bin/standalone.conf file.

I am confident I am making a mistake; but I cannot identify it.

Thank you for your help!
Good bye,

AC

[Bartosz Baranowski]

AFAIR, you will have to store some password one way or another in server configuration. What I fail to understand is why would server configuration be visible to other users that server_ID ?
Anyway, did you look at: https://www.mastertheboss.com/jbossas/jboss-security/using-credential-stores-to-store-your-passwords-in-wildfly-11/

[Bartosz Baranowski]

https://docs.wildfly.org/23/WildFly_Elytron_Security.html

[AC]

Thank you, Bartosz, for your answer.

I agree that I have to store passwords somehow in a server config. Actually, I am already using Elytron to store passwords - e.g. for the user to connect to the datasource - and it has worked well so far.

Let me try to clarify my issue.

I would like to set up an SSL context for the communication between Wildfly and the datasource. To do so, Wildfly needs to have a keystore - with the client key and certificate - and a truststore - with the CA certificate which signed the datasource certificate. These stores are password-protected. Thanks to Elytron, no password in plain text in standalone/configuration/standalone.xml: I agree.

The problem is that this is not enough: no way to bind the datasource with such a configuration. There still needs the passing of the options -Djavax.net.ssl.trustStore, -Djavax.net.ssl.trustStorePassword, -Djavax.net.ssl.keyStore and -Djavax.net.ssl.keyStorePassword to the JVM, in the bin/standalone.conf file.

=> why so? And how to avoid it, if possible?

I hope I have made my point clearer now.

Good bye,

AC

[Darran Lofthouse]

In this case you probably need to look at the default-ssl-context attribute on the root of the Elytron subsystem.

For many libraries that need an SSLContext they call SSLContext.getDefault() when they need on, by default the default security provider sees none has been set so dynamically constructs one using the system properties that you are currently using.

If you set the default-ssl-context attribute on the Elytron subsystem to reference a defined one we call SSLContext.setDefault with this configured SSLContext, then when the library calls SSLContext.getDefault it uses the one we registered instead of dynamically creating a new one.

[AC]

Thank you for your answer, Darran.

I think I got it wrong, though.

What I did:

1 - deletion of the 4 options in the bin/standalone.conf file.

2 - CLI:

/opt/wildfly/bin/jboss-cli.sh --connect

/subsystem=elytron:write-attribute(name=default-ssl-context,value=mariaDBSSLContext)

The logs I got:

org.mariadb.jdbc.message.server.ErrorPacket] (JCA PoolFiller) Error: 1045-28000: Access denied for user 'USER'@'HOST' (using password: YES)

org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (JCA PoolFiller) IJ000610: Unable to fill pool: JNDI-NAME: javax.resource.ResourceException: IJ031084: Unable to create connection

Of course, if I set again the options in the bin/standalone.conf file, it all goes well.

[Darran Lofthouse]

Are you pre-filling a pool of datasource connections?  I am wondering if the connection attempt is before the SSLContext is registered.

[AC]

Sorry to sound so inexperienced, I think the answer is "yes", but I am not totally confident.

What I have done so far: installing Wildfly + installing the JDBC connector + creating a credential-store with the required aliases + adding a data-source.

Does it answer your question?

[Bartosz Baranowski]

No need to be sorry. Remember, there are no stupid questions. If you could share config part, that would most likely answer some questions and speed things up.

--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/2mn750uxm60/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/82fb0325-bf51-4d83-ae6c-a69098cb688cn%40googlegroups.com.

--

"With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably."

Bartosz Baranowski
RedHat R&D

[AC]

Thanks a lot, Bartosz.

I'll do it... but in a few-week time.

See you then.

[AC]

Hello WildFly Team,

I am back for good.

Here are some parts of the standalone.xml file; green parts need to be customised :

        <subsystem xmlns="urn:jboss:domain:datasources:7.0">
            <datasources>
                <datasource jndi-name="java:/maria" pool-name="mariads" use-ccm="true">
                    <connection-url>jdbc:mariadb://FQDN_OF_THE_MARIADB_SERVER:3306/DATABASE_NAME?sslMode=verify-full</connection-url>
                    <driver-class>org.mariadb.jdbc.Driver</driver-class>
                    <driver>mariadb-java-client.jar</driver>
                    <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
                    <pool>
                        <min-pool-size>5</min-pool-size>
                        <max-pool-size>150</max-pool-size>
                        <prefill>true</prefill>
                    </pool>
                    <security>
                        <user-name>admin</user-name>
                        <password>admin</password>
                    </security>
                    <validation>
                        <check-valid-connection-sql>select 1;</check-valid-connection-sql>
                        <validate-on-match>true</validate-on-match>
                        <background-validation>false</background-validation>
                    </validation>
                    <statement>
                        <prepared-statement-cache-size>50</prepared-statement-cache-size>
                        <share-prepared-statements>true</share-prepared-statements>
                    </statement>
                </datasource>
            </datasources>
        </subsystem>

[...]

        <subsystem xmlns="urn:wildfly:elytron:15.1" final-providers="combined-providers" disallowed-providers="OracleUcrypto" default-ssl-context="mariaDBSslContext">

[...]

            <tls>
                <key-stores>
                    <key-store name="applicationKS">
                        <credential-reference clear-text="password"/>
                        <implementation type="JKS"/>
                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
                    </key-store>
                    <key-store name="mariaDBTrustStore">
                        <credential-reference store="defaultCS" alias="mariaDBTrustStorePWD"/>
                        <implementation type="JKS"/>
                        <file path="keystore/mariadb-truststore.jks" relative-to="jboss.server.config.dir"/>
                    </key-store>
                    <key-store name="mariaDBKeyStore">
                        <credential-reference store="defaultCS" alias="mariaDBKeyStorePWD"/>
                        <implementation type="PKCS12"/>
                        <file path="keystore/mariadb-keystore.p12" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
                        <credential-reference clear-text="password"/>
                    </key-manager>
                    <key-manager name="mariaDBKeyManager" key-store="mariaDBKeyStore">
                        <credential-reference store="defaultCS" alias="mariaDBKeyStorePWD"/>
                    </key-manager>
                </key-managers>
                <trust-managers>
                    <trust-manager name="mariaDBTrustManager" key-store="mariaDBTrustStore"/>
                </trust-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
                <client-ssl-contexts>
                    <client-ssl-context name="mariaDBSslContext" key-manager="mariaDBKeyManager" trust-manager="mariaDBTrustManager"/>
                </client-ssl-contexts>
            </tls>

[...]

        </subsystem>

And here is the standalone.conf:

if [ "x$JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then
     JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman"
fi
 
if [ "x$JAVA_OPTS" = "x" ]; then
     JAVA_OPTS="-Xms2048m -Xmx2048m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m"
     JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
     JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS"
     JAVA_OPTS="$JAVA_OPTS -Djava.awt.headless=true"
     JAVA_OPTS="$JAVA_OPTS -Djboss.tx.node.id=214"
     JAVA_OPTS="$JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError"
     JAVA_OPTS="$JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048"
else
     echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS"
fi

Of course, with the same mariaDB user-name, the same password, and the certificat and key used to create mariadb-keystore.p12, I can connect to mariaDB using the CLI: mysql -u admin -p -h FQDN_OF_THE_MARIADB_SERVER --ssl-ca=FILE1 --ssl-cert=FILE2 --ssl-key=FILE3

Are those configuration elements enough?

Thank you.

[AC]

Hello the WildFly Team,

has anyone any input on the matter, by any chance?

Thank you,

AC

[Bartosz Baranowski]

Hey.  Ttook me a bit.
Ok, so if Im no mistaken, you have evverything set up, point to SSL context 

<server-ssl-contexts>
                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
                </server-ssl-contexts>
                <client-ssl-contexts>
                    <client-ssl-context name="mariaDBSslContext" key-manager="mariaDBKeyManager" trust-manager="mariaDBTrustManager"/>
                </client-ssl-contexts>

and AFAIR this shoudl be enough( if I remember correctly). One thing that does smell bad is:
<credential-reference clear-text="password"/>
rather than masking:
https://github.com/wildfly/wildfly-proposals/blob/main/elytron/ELY-816-masked-password.adoc (thats RFE but good thing is it has everything explained clearly and in one place).
https://groups.google.com/g/wildfly/c/T4kIm7dcIdM

[AC]

Hello Bartosz,

thank you for your feedback.

Please, do not take into account this part : <credential-reference clear-text="password"/>

This is a default configuration (namely, applicationKM and applicationKS), and I am not making any use of it.

You can freely consider it as absent.

However, it still does not work.

I just cannot stop getting those logs:

org.mariadb.jdbc.message.server.ErrorPacket] (JCA PoolFiller) Error: 1045-28000: Access denied for user 'USER'@'HOST' (using password: YES)

org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (JCA PoolFiller) IJ000610: Unable to fill pool: JNDI-NAME: javax.resource.ResourceException: IJ031084: Unable to create connection

Do you have any idea why?