Truststore is not getting reloaded at runtime in wildfly 25
376 views
Skip to first unread message
Aniket Pachpute
Jun 8, 2022, 1:50:12 AM6/8/22
to WildFly
Hi,
We are creating an empty truststore at wildfly startup and later we are adding self signed certificates to the truststore.
After that we are reloading keystore and trust manager using below commands:
./bin/jboss-cli.sh --connect <<EOF
/subsystem=elytron/key-store=trust-store:load
/subsystem=elytron/trust-manager=TrustManager:init
EOF
We are enabling elytron to reload truststore without restarting the JVM.
It seems that the new truststore is not taken into use by the JVM. If we restart the JVM then only new truststore is taken into the consideration.
Could you please provide some pointers to resolve this issue?
Thanks,
Aniket
Diana Krepinska
Jun 8, 2022, 4:39:40 AM6/8/22
to WildFly
Hello, what is the outcome of those commands? Is it not success? You can also configure logging and check the logs.
Aniket Pachpute
Jun 8, 2022, 5:15:05 AM6/8/22
to WildFly
Below is the output of commands:
[standalone@localhost:9990 /] /subsystem=elytron/key-store=trust-store:load
{
"outcome" => "success",
"result" => undefined
}
[standalone@localhost:9990 /] /subsystem=elytron/trust-manager=TrustManager:init
{"outcome" => "success"}
{
"outcome" => "success",
"result" => undefined
}
[standalone@localhost:9990 /] /subsystem=elytron/trust-manager=TrustManager:init
{"outcome" => "success"}
Farah Juma
Jun 8, 2022, 5:39:58 PM6/8/22
to WildFly
What does your trust-manager configuration look like? Is it referencing the correct key-store?
Aniket Pachpute
Jun 9, 2022, 12:52:33 AM6/9/22
to WildFly
Hi @Farah Juma,
<key-store name="trust-store">
<credential-reference store="mycredstore" alias="trustpwd"/>
<implementation type="JKS"/>
<file path="/opt/wildfly/security/cacerts"/>
</key-store>
Below is the trust-manager configuration:
<trust-managers>
<trust-manager name="TrustManager" algorithm="SunX509" key-store="trust-store"/>
</trust-managers>
<trust-manager name="TrustManager" algorithm="SunX509" key-store="trust-store"/>
</trust-managers>
and it is referring to the correct key-store
<key-store name="trust-store">
<credential-reference store="mycredstore" alias="trustpwd"/>
<implementation type="JKS"/>
<file path="/opt/wildfly/security/cacerts"/>
</key-store>
Diana Krepinska
Jun 9, 2022, 8:00:19 AM6/9/22
to WildFly
Thank you, what is the behaviour that makes it seem that the new truststore is not taken into use? are the connections failing and could there be a different reason for that?
Aniket Pachpute
Jun 10, 2022, 2:54:20 AM6/10/22
to Diana Krepinska, WildFly
Connection is failing and getting below exceptions:
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
This exception is not seen when we restart the JVM
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/a9c73e8e-2240-4935-9a87-d95f84e2015fn%40googlegroups.com.
Aniket R. Pachpute
Diana Krepinska
Jun 15, 2022, 12:13:27 PM6/15/22
to WildFly
If you can create a reproducer and file a jira issue that would be good. Otherwise we don't have enough details to know what could be causing it
Aniket Pachpute
Jun 22, 2022, 12:56:51 AM6/22/22
to Diana Krepinska, WildFly
Hi Diana,
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/4ae11c24-4a14-4780-b04d-78c1f68b25e6n%40googlegroups.com.
Aniket R. Pachpute
Reply all
Reply to author
Forward
0 new messages