TLS configuration für remote EJB invocation in wildfly 26
728 views
Skip to first unread message
christia...@switch.ch
May 6, 2022, 4:07:58 AM5/6/22
to WildFly
Hello
I'm working on the migration from wildfly 23 to wildfly 26 and now have a problem with remote EJB via https from one wildfly to another on a different server. The configuration on both servers are identical.
The relevant configuration (standalone.xml) in wildfly 23 was this:
<server xmlns="urn:jboss:domain:16.0">
...
<management>
<security-realms>
...
<security-realm name="ejb-security-realm">
<server-identities>
<secret value="somepassword"/>
<ssl>
<keystore path="client.keystore" relative-to="jboss.server.config.dir" keystore-password="clientpassword" alias="clientalias" key-password="clientpassword"/>
</ssl>
</server-identities>
<authentication>
<truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="clientpassword"/>
</authentication>
</security-realm>
</security-realms>
...
</management>
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
...
<remote connectors="http-remoting-connector" thread-pool-name="ejb-remote">
<channel-creation-options>
<option name="WORKER_READ_THREADS" value="8" type="xnio"/>
<option name="WORKER_WRITE_THREADS" value="8" type="xnio"/>
<option name="MAX_INBOUND_MESSAGES" value="200" type="remoting"/>
<option name="MAX_OUTBOUND_MESSAGES" value="200" type="remoting"/>
</channel-creation-options>
</remote>
...
</subsystem>
...
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
...
<tls>
<key-stores>
<key-store name="server-key-store">
<credential-reference clear-text="serverpassword"/>
<implementation type="JKS"/>
<file path="server.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="server-trust-store">
<credential-reference clear-text="serverpassword"/>
<implementation type="JKS"/>
<file path="server.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="client-key-store">
<credential-reference clear-text="clientpassword"/>
<implementation type="JKS"/>
<file path="client.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="client-trust-store">
<credential-reference clear-text="clientpassword"/>
<implementation type="JKS"/>
<file path="client.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="server-key-manager" key-store="server-key-store">
<credential-reference clear-text="serverpassword"/>
</key-manager>
<key-manager name="client-key-manager" key-store="client-key-store">
<credential-reference clear-text="clientpassword"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="server-trust-manager" key-store="server-trust-store"/>
<trust-manager name="client-trust-manager" key-store="client-trust-store"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="server-ssl-context" want-client-auth="true" need-client-auth="true" key-manager="server-key-manager" trust-manager="server-trust-manager"/>
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="client-ssl-context" key-manager="client-key-manager" trust-manager="client-trust-manager"/>
</client-ssl-contexts>
</tls>
...
<subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
...
<server name="default-server">
<ajp-listener name="default-ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="server-ssl-context" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
</subsystem>
...
</profile>
...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<outbound-socket-binding name="remote-ejb-binding">
<remote-destination host="<backend.host>" port="8443"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
For wildfly 26 i started again with the standalone.xml from the distribution and added my changes. The <security-realm> is no longer supported. I also made some adjustments that seemed relevant to me. I ended up with this new standalone.xml:
<server xmlns="urn:jboss:domain:16.0">
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
...
<remote connectors="http-remoting-connector" thread-pool-name="ejb-remote">
<channel-creation-options>
<option name="WORKER_READ_THREADS" value="8" type="xnio" />
<option name="WORKER_WRITE_THREADS" value="8" type="xnio" />
<option name="MAX_INBOUND_MESSAGES" value="200" type="remoting" />
<option name="MAX_OUTBOUND_MESSAGES" value="200" type="remoting" />
</channel-creation-options>
</remote>
...
<application-security-domains>
...
<application-security-domain name="ejb-client-security-domain" security-domain="ejb-client-security-domain"/>
<application-security-domain name="ejb-server-security-domain" security-domain="ejb-server-security-domain"/>
</application-security-domains>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<security-domains>
...
<security-domain name="ejb-client-security-domain" default-realm="ejb-client-security-realm" permission-mapper="default-permission-mapper">
<realm name="ejb-client-security-realm"/>
</security-domain>
<security-domain name="ejb-server-security-domain" default-realm="ejb-server-security-realm" permission-mapper="default-permission-mapper">
<realm name="ejb-server-security-realm"/>
</security-domain>
</security-domains>
<security-realms>
...
<key-store-realm name="ejb-client-security-realm" key-store="client-key-store" />
<key-store-realm name="ejb-server-security-realm" key-store="server-key-store" />
</security-realms>
...
<sasl>
...
<sasl-authentication-factory name="ejb-client-sasl-authentication" sasl-server-factory="configured" security-domain="ejb-client-security-domain">
<mechanism-configuration>
<mechanism mechanism-name="EXTERNAL" realm-mapper="ejb-client-security-realm" />
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm" />
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="ejb-server-sasl-authentication" sasl-server-factory="configured" security-domain="ejb-server-security-domain">
<mechanism-configuration>
<mechanism mechanism-name="EXTERNAL" realm-mapper="ejb-server-security-realm" />
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm" />
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
...
</sasl>
<tls>
<key-stores>
<key-store name="server-key-store">
<credential-reference clear-text="serverPassword" />
<implementation type="JKS" />
<file path="server.keystore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="server-trust-store">
<credential-reference clear-text="serverPassword" />
<implementation type="JKS" />
<file path="server.truststore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="client-key-store">
<credential-reference clear-text="clientpassword" />
<implementation type="JKS" />
<file path="client.keystore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="client-trust-store">
<credential-reference clear-text="clientpassword" />
<implementation type="JKS" />
<file path="client.truststore" relative-to="jboss.server.config.dir" />
</key-store>
</key-stores>
<key-managers>
<key-manager name="server-key-manager" key-store="server-key-store">
<credential-reference clear-text="serverPassword" />
</key-manager>
<key-manager name="client-key-manager" key-store="client-key-store">
<credential-reference clear-text="clientpassword" />
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="server-trust-manager" key-store="server-trust-store" />
<trust-manager name="client-trust-manager" key-store="client-trust-store" />
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="server-ssl-context" want-client-auth="false" need-client-auth="false" key-manager="server-key-manager" trust-manager="server-trust-manager" />
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="client-ssl-context" key-manager="client-key-manager" trust-manager="client-trust-manager" />
</client-ssl-contexts>
</tls>
...
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
...
<server name="default-server">
...
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
<https-listener name="https" socket-binding="https" ssl-context="server-ssl-context" enable-http2="true" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
<http-invoker http-authentication-factory="application-http-authentication" />
</host>
</server>
...
</subsystem>
...
</profile>
...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<outbound-socket-binding name="remote-ejb-binding">
<remote-destination host="<backend.host>" port="8443"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
Unfortunately this won't work. I read a lot of documentation including the migration guide (https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html). I always getting the follwing error:
06.05.2022 08:47:21.558; ERROR [ch.nic.reg.TextCache] (ServerService Thread Pool -- 85) Unable to load text cache from database!: javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "reg-core/common-ejb/SecurityHandlerBean", view is interface ch.nic.reg.security.SecurityHandlerRemote, affinity is None
...
Suppressed: java.io.IOException: Invalid response
at org.jbo...@3.8.5.Final//org.xnio.http.HttpUpgradeParser.parseVersion(HttpUpgradeParser.java:164)
Any ideas?
Thanks
Christian
I'm working on the migration from wildfly 23 to wildfly 26 and now have a problem with remote EJB via https from one wildfly to another on a different server. The configuration on both servers are identical.
The relevant configuration (standalone.xml) in wildfly 23 was this:
<server xmlns="urn:jboss:domain:16.0">
...
<management>
<security-realms>
...
<security-realm name="ejb-security-realm">
<server-identities>
<secret value="somepassword"/>
<ssl>
<keystore path="client.keystore" relative-to="jboss.server.config.dir" keystore-password="clientpassword" alias="clientalias" key-password="clientpassword"/>
</ssl>
</server-identities>
<authentication>
<truststore path="client.truststore" relative-to="jboss.server.config.dir" keystore-password="clientpassword"/>
</authentication>
</security-realm>
</security-realms>
...
</management>
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
...
<remote connectors="http-remoting-connector" thread-pool-name="ejb-remote">
<channel-creation-options>
<option name="WORKER_READ_THREADS" value="8" type="xnio"/>
<option name="WORKER_WRITE_THREADS" value="8" type="xnio"/>
<option name="MAX_INBOUND_MESSAGES" value="200" type="remoting"/>
<option name="MAX_OUTBOUND_MESSAGES" value="200" type="remoting"/>
</channel-creation-options>
</remote>
...
</subsystem>
...
<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
...
<tls>
<key-stores>
<key-store name="server-key-store">
<credential-reference clear-text="serverpassword"/>
<implementation type="JKS"/>
<file path="server.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="server-trust-store">
<credential-reference clear-text="serverpassword"/>
<implementation type="JKS"/>
<file path="server.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="client-key-store">
<credential-reference clear-text="clientpassword"/>
<implementation type="JKS"/>
<file path="client.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="client-trust-store">
<credential-reference clear-text="clientpassword"/>
<implementation type="JKS"/>
<file path="client.truststore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="server-key-manager" key-store="server-key-store">
<credential-reference clear-text="serverpassword"/>
</key-manager>
<key-manager name="client-key-manager" key-store="client-key-store">
<credential-reference clear-text="clientpassword"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="server-trust-manager" key-store="server-trust-store"/>
<trust-manager name="client-trust-manager" key-store="client-trust-store"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="server-ssl-context" want-client-auth="true" need-client-auth="true" key-manager="server-key-manager" trust-manager="server-trust-manager"/>
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="client-ssl-context" key-manager="client-key-manager" trust-manager="client-trust-manager"/>
</client-ssl-contexts>
</tls>
...
<subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
...
<server name="default-server">
<ajp-listener name="default-ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="server-ssl-context" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
</subsystem>
...
</profile>
...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<outbound-socket-binding name="remote-ejb-binding">
<remote-destination host="<backend.host>" port="8443"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
For wildfly 26 i started again with the standalone.xml from the distribution and added my changes. The <security-realm> is no longer supported. I also made some adjustments that seemed relevant to me. I ended up with this new standalone.xml:
<server xmlns="urn:jboss:domain:16.0">
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
...
<remote connectors="http-remoting-connector" thread-pool-name="ejb-remote">
<channel-creation-options>
<option name="WORKER_READ_THREADS" value="8" type="xnio" />
<option name="WORKER_WRITE_THREADS" value="8" type="xnio" />
<option name="MAX_INBOUND_MESSAGES" value="200" type="remoting" />
<option name="MAX_OUTBOUND_MESSAGES" value="200" type="remoting" />
</channel-creation-options>
</remote>
...
<application-security-domains>
...
<application-security-domain name="ejb-client-security-domain" security-domain="ejb-client-security-domain"/>
<application-security-domain name="ejb-server-security-domain" security-domain="ejb-server-security-domain"/>
</application-security-domains>
</subsystem>
<subsystem xmlns="urn:wildfly:elytron:15.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<security-domains>
...
<security-domain name="ejb-client-security-domain" default-realm="ejb-client-security-realm" permission-mapper="default-permission-mapper">
<realm name="ejb-client-security-realm"/>
</security-domain>
<security-domain name="ejb-server-security-domain" default-realm="ejb-server-security-realm" permission-mapper="default-permission-mapper">
<realm name="ejb-server-security-realm"/>
</security-domain>
</security-domains>
<security-realms>
...
<key-store-realm name="ejb-client-security-realm" key-store="client-key-store" />
<key-store-realm name="ejb-server-security-realm" key-store="server-key-store" />
</security-realms>
...
<sasl>
...
<sasl-authentication-factory name="ejb-client-sasl-authentication" sasl-server-factory="configured" security-domain="ejb-client-security-domain">
<mechanism-configuration>
<mechanism mechanism-name="EXTERNAL" realm-mapper="ejb-client-security-realm" />
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm" />
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="ejb-server-sasl-authentication" sasl-server-factory="configured" security-domain="ejb-server-security-domain">
<mechanism-configuration>
<mechanism mechanism-name="EXTERNAL" realm-mapper="ejb-server-security-realm" />
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm" />
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
...
</sasl>
<tls>
<key-stores>
<key-store name="server-key-store">
<credential-reference clear-text="serverPassword" />
<implementation type="JKS" />
<file path="server.keystore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="server-trust-store">
<credential-reference clear-text="serverPassword" />
<implementation type="JKS" />
<file path="server.truststore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="client-key-store">
<credential-reference clear-text="clientpassword" />
<implementation type="JKS" />
<file path="client.keystore" relative-to="jboss.server.config.dir" />
</key-store>
<key-store name="client-trust-store">
<credential-reference clear-text="clientpassword" />
<implementation type="JKS" />
<file path="client.truststore" relative-to="jboss.server.config.dir" />
</key-store>
</key-stores>
<key-managers>
<key-manager name="server-key-manager" key-store="server-key-store">
<credential-reference clear-text="serverPassword" />
</key-manager>
<key-manager name="client-key-manager" key-store="client-key-store">
<credential-reference clear-text="clientpassword" />
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="server-trust-manager" key-store="server-trust-store" />
<trust-manager name="client-trust-manager" key-store="client-trust-store" />
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="server-ssl-context" want-client-auth="false" need-client-auth="false" key-manager="server-key-manager" trust-manager="server-trust-manager" />
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="client-ssl-context" key-manager="client-key-manager" trust-manager="client-trust-manager" />
</client-ssl-contexts>
</tls>
...
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0">
...
<server name="default-server">
...
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true" />
<https-listener name="https" socket-binding="https" ssl-context="server-ssl-context" enable-http2="true" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
<http-invoker http-authentication-factory="application-http-authentication" />
</host>
</server>
...
</subsystem>
...
</profile>
...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<outbound-socket-binding name="remote-ejb-binding">
<remote-destination host="<backend.host>" port="8443"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
Unfortunately this won't work. I read a lot of documentation including the migration guide (https://docs.jboss.org/author/display/WFLY/Simple%20SSL%20Migration.html). I always getting the follwing error:
06.05.2022 08:47:21.558; ERROR [ch.nic.reg.TextCache] (ServerService Thread Pool -- 85) Unable to load text cache from database!: javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "reg-core/common-ejb/SecurityHandlerBean", view is interface ch.nic.reg.security.SecurityHandlerRemote, affinity is None
...
Suppressed: java.io.IOException: Invalid response
at org.jbo...@3.8.5.Final//org.xnio.http.HttpUpgradeParser.parseVersion(HttpUpgradeParser.java:164)
Any ideas?
Thanks
Christian
christia...@switch.ch
May 10, 2022, 5:53:45 AM5/10/22
to WildFly
Hi all
Obviously this post was a little bit too long for receiving an answer ;-).
I try to rephrase my main question. Where may i find a documentation for configuring a wildfly instance as an ejb client? All documentation i was able to find talks a lot about a "wildfly-config.xml" on the client side. But should this configuration not go to standalone.xml?
Thanks in advance
Christian
Obviously this post was a little bit too long for receiving an answer ;-).
I try to rephrase my main question. Where may i find a documentation for configuring a wildfly instance as an ejb client? All documentation i was able to find talks a lot about a "wildfly-config.xml" on the client side. But should this configuration not go to standalone.xml?
Thanks in advance
Christian
Diana Krepinska
May 13, 2022, 1:59:01 PM5/13/22
to WildFly
Does this relate https://docs.wildfly.org/26/Client_Guide.html#jboss-ejb-client ? It mentions that to configure EJB client from within a deployment you can use wildfly-config.xml. The configuration will be then loaded automatically. You should be able to specify TLS configuration in wilfdly-context.xml for EJB client, so not in standalone.xml.
Reply all
Reply to author
Forward
0 new messages