I would like to send JMS messages to my local JBoss 7.2 server. For this purpose I tried using JMeter with the JMS Point-to-Point step. I configured everything as you can see in the picture below:
JNDI properties:
java.naming.security.principal = ca2
java.naming.security.credentials
= 12346578
What I've tried on the server side:
created an Application User (with the credentials in the JNDI properties)
deleted security realm from <http-connector name="http-remoting-connector"
connector-ref="default" security-realm="ApplicationRealm"/>
The server is up and running, but in both cases I got the following errors:
Response message: javax.naming.AuthenticationException: Failed to connect to any server. Servers tried: [http-remoting://127.0.0.1:8080 (Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: Server rejected authentication)] [Root exception is javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: Server rejected authentication]
What else should I try?
These ca2 and 12346578 values don't look to be MD5-encoded to me, I think you need to use UsernamePasswordHashUtil in order to encrypt the credentials like
java -classpath /path/to/jboss/sasl/jar org/jboss/sasl/util/UsernamePasswordHashUtil <username> [realm name] <password>
Alternatively you can consider using jboss-ejb-client and send your message programmatically from the JSR223 Sampler and Groovy language, something like:
def config = AuthenticationConfiguration.empty()
.setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("DIGEST-MD5")).useName("ca2")
.usePassword("12345678");
def ctx = AuthenticationContext.empty().with(MatchRule.ALL.matchHost("127.0.0.1"), config);
Turned out my configuration was completely wrong.
I apologize to everyone who tried to help me. It was a great lesson to learn for me.
Here is what I had to do, and you should consider if you are in a similar situation:
Remove jboss-client.jar from jmeter's lib/ext folder. (It caused the connection to close too soon for some reason)
Change JMeter Poin-to-Point step's Communication style to
request_only
Create a JBoss Application user and add it to the guest group
(./add-user.sh -a --user ca2 --password 12345678 -g guest)
Activate the jboss profile in server config (add the system property:
<property name="spring.profiles.active" value="jboss"/>)
And of course configure the JMS consumer properly in the Java code (one can check in the management console whether the consumer exists)
Thanks for everyone who helped me.
Related
I am running a spring boot application which is a webservice client and sends requests to a webservice on a Jboss.
A certificate was added on the jboss and since then i started having exception:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
So i searched on google on how to communicate with a cert based Jboss and came up with the idea that I needed to create a trust store from the jboss cert and then use that in my application.yaml
server:
port: 7887
address: 127.0.0.1
ssl:
# enabled: true
trust-store: file:config/myapp.truststore
trust-store-password: myappdomain
These didnt work. So i went with more manual and on the grounds approach
I just did the below and this worked. ( for any one having the same issue this works;I added the truststore in the config directory and the config directory was at the same level as the myapp.jar)
java -Djavax.net.ssl.trustStore=config/myapp.truststore -jar myapp.jar
My question: why did the application.yaml configs didnt work. was i missing something.
the above approach works without a password ( may be because the password is the same on keystore and cert in jboss as the trust store password).
Is there any security issue or any kind of issue with the approach that worked. and for future how can i make the yaml configs work.
It is correct as you wrote it, you need to use javax.net.ssl.trustStore and his pair prop javax.net.ssl.trustStorePassword to check the validity of the remote service you are calling.
I understand the 3 options the following way:
server.ssl.key-store => use to authenticate yourself (the server) to other clients calling you
javax.net.ssl.trustStore => use to authenticate servers you are calling as a client from your Spring Boot app.
server.ssl.trust-store => use only if you are using 2-way ssl with Spring, where you authenticate yourself as a client towards other SSL secured server. Probably you will not use this so often when implementing SSL (one way ssl). So stick with the first two and you are good.
I am attempting to setup a Spring Cloud Config Server backed by Spring Cloud Vault secret management. I'm relatively new to Spring but I have tried following instructions and examples here:-
http://cloud.spring.io/spring-cloud-vault-config/
Everything works fine provided you follow the default settings like http, localhost and 8200 for the vault endpoint and tls_disable = 1 to switch off SSL. However these are not practical settings for any real environment and there are few examples anywhere that help with this. Can anyone help with a working example?
I have Successfully set up vault with TLS enable. I have successfully set up a config server that connects using a self signed cert. I can even inject a secret value into the config server and expose it via #Value and #PostConstruct.
All of this is working. However when I try to leverage Spring Conig endpoints to access vault, I get the following:-
{
"timestamp": 1486413850574,
"status": 500,
"error": "Internal Server Error",
"exception": "org.springframework.web.client.ResourceAccessException",
"message": "I/O error on GET request for \"http://127.0.0.1:8200/v1/secret/myapp\": Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect",
"path": "/myapp/default"
}
Config server is using default values even though I have set overrides in the bootstrap.yml.:-
server:
port: 8888
spring:
profiles:
active: vault
spring.cloud.vault:
host: myhost.mydomain.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1887c3-d8a8-befd-a5a2-01e4e066c50
ssl:
trust-store: configTrustStore.jks
trust-store-password: changeit
As you can see it should be pointing to myhost.mydomain.com not
127.0.0.1 and it should be using https, not http as the protocol scheme.
I'm not sure why it uses these defaults for config server endpoints but uses correct settings during spring cloud vault startup. I'm using all the latest stable builds of Spring Dalsten.M1 and Spring Cloud Vault 1.0.0.M1. I realize these are milestone releases. I've also tried Camden and Brixton combos with no luck. I can supply code if required.
Any help greatly appreciated.
As I mention in my response to spensergibb, I have had some success in resolving this myself. Based on his comments I will clarify my intent as it will help with a common understanding of the issue. I am attempting to do two things:-
Stand up a configuration server that uses Vault as a backend, (as opposed to the default GIT backend) and expose the Vault API to client applications (over TLS) so that they can retrieve their own secrets. I do not want all my client applications to connect to Vault directly. I want them to get their configuration from a config server by having the config server connect to Vault. Until last night I was unable to achieve this goal, unless I set everything up as default with TLS disabled and using loopback address, port 8200 for the Vault software etc. Obviously defaults are not practical for any of our deployed environments. I will mention that the link posted by spencergibb does help me understand why this was not working but the subtlety of the reason is why I missed it before. Read on for my explanation.
I want the config server to configure itself from Vault directly. That is, connect to Vault via Spring Cloud Vault Config. This worked right away for me as described in the documentation. However this goal is somewhat trivial as I do not have a real use case at this time. But I wanted to understand if it could be done since I saw no real reason why not and it seemed like good first steps in integrating Vault.
The distinction between these two capabilities helped me understand that the problem derives from the fact that Spring Cloud Config Server and Spring Cloud Vault appear to be using two different beans to inject the Vault configuration properties. Spring Cloud Config Server uses VaultEnvironmentRepository annotated with #ConfigurationProperties("spring.cloud.config.server.vault") and Spring Cloud Vault uses VaultProperties annotated with #ConfigurationProperties("spring.cloud.vault").
This caused me to add two different configs to my bootstrap yml.
server:
port: 8888
spring:
profiles:
active: local, vault
application:
name: quoting-domain-configuration-server
cloud:
vault:
host: VDDP03P-49A26EF.lm.lmig.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1997c3-d8a8-befd-a5a2-01e4e066c50a
ssl:
trust-store: configTrustStore.jks
trust-store-password: changeit
config:
server:
vault:
host: VDDP03P-49A26EF.lm.lmig.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1997c3-d8a8-befd-a5a2-01e4e066c50a
Note the same config details. Just different yml paths. This is the subtle point I missed given that I started by getting goal number 1 to work first and assuming the same config would work for both goals. (Note: Token and password are contrived).
This almost worked except for an SSL handshake error. As you can see there are no SSL attributes set on the spring.cloud.config.server.vault path. The VaultProperties bean does not support them. I was not sure how to deal with this (perhaps another non-vault specific bean that I could not find). My solution was to simply force the cert configuration myself like this:-
#SpringBootApplication
#EnableConfigServer
public class Application
{
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.trustStore",
Application.class.getResource("/configTrustStore.jks").getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
SpringApplication.run(Application.class, args);
}
}
This SSL solution is pretty ugly. I'm sure there must be a better way to do this part. So I am open to other suggestions. However once I completed all above steps everything now works.
Thanks for your write up. I was struggling to get this working. I was able to get a client service to connect to a Spring Cloud Config server and a Vault server but I was not able to get a Spring Cloud Config server to connect to a Vault server.
I even struggled after copying your configuration into my Spring Cloud Config server. While I eventually got it working with your configuration I was able to pare it down quite a bit. The key was that the token does not belong in the Spring Cloud Config server. It belongs in the client.
I was trying http://localhost:8888/{application}/default in the browser but got the following:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu May 11 14:21:31 EDT 2017
There was an unexpected error (type=Bad Request, status=400).
Missing required header: X-Config-Token
I used PostMan to send the request with a X-Config-Token header containing the Vault token and it worked.
Here is my final config.
server:
port: ${PORT:8888}
management:
context-path: /manage
security:
enabled: true
spring:
profiles:
active: git,vault
application:
name: config-server
cloud:
config:
server:
git:
order: 1
uri: file:///temp/config-server/config
vault:
order: 0
host: localhost
port: 8200
scheme: http
So it looks like you need to add the token to the client. Maybe using spring.cloud.config.token.
instead
#SpringBootApplication
#EnableConfigServer
public class Application
{
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.trustStore",
Application.class.getResource("/configTrustStore.jks").getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
SpringApplication.run(Application.class, args);
}
}
write
bootstrap yml ->
javax.net.ssl.trustStore: /configTrustStore.jks
javax.net.ssl.trustStorePassword: changeit
Although I am answering late. But I was able to configure spring cloud config server to use Vault as backend with CERT authentication via certificates. And moreover you do not require to send X-Config-Token in GET request. So your config-server GET requests will work in the same way it works with GITHUB as backend.As my implementation will get the token on the fly and change the incoming request by appending header. I would recommend to check all the steps in my tutorial and github repo.
Here is my tutorial : https://medium.com/#java.developer.raman/enable-spring-config-server-to-use-cert-authentication-with-vault-as-back-end-ff84e1ef2de7?sk=45a26d7f1277437d91a5cff3d5997287
And GitHub repository: https://github.com/java-developer-raman/config-server-vault-backend
I'm trying to monitor my WLP v8.5.5 with JConsole.
My Liberty profile is up and running and has SSL properlly configured.
I also have configured as features the monitor-1.0 and restConnector-1.0.
After that I sftp'ed from my WLP the restConnector.jar to my machine and created a keystore on my machine as described here
After that I'm trying to start JConsole with this command:
jconsole -J-Djava.class.path="C:\Program Files\Java\jdk1.7.0_67\lib\jconsole.jar;
C:\Program Files\Java\jdk1.7.0_67\lib\tools.jar;
<whereIDownloaded>\restConnector.jar"
-J-Djavax.net.ssl.keyStore="<locationToCreated>\keystore.jks"
-J-Djavax.net.ssl.keyStorePassword=<password>
-J-Djavax.net.ssl.keyStoreType=jks
-J-Dcom.ibm.ws.jmx.connector.client.disableURLHostnameVerification=true
However, when I try to connect to my WLP via remote with the string:
service:jmx:rest://<ip>:<httpsPort>/IBMJMXConnectorREST
As a credential I'm passing a user configured on <administrator-role>.
I get a JConsole error saying:
Secure connection failed. Retry insecurely?
I don't get why I'm seeing this error, and I don't see any logs to see why it failed.
My next step if getting the keystore from WLP and try that on my machine but I don't think that makes much sense.
Does anyone have any suggestion on where should I look for logs or on that I'm doing wrong?
Thanks in advance!
Reference:
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_mon.html?cp=SSAW57_8.5.5%2F1-3-11-0-6&lang=en
Ensure you don't have localConnector-1.0 feature. If you have that, please remove it. You can find more details here Remote monitoring of Liberty with Health Center. Although it discusses Health Center connection, I was testing using JConsole also.
UPDATE
You might be invoking console with incorrect params - it should be trustStore not keystore see below. And for start use key.jks copied from Liberty (as you need Liberty certificate as trusted)
jconsole -J-Djava.class.path=%JAVA_HOME%/lib/jconsole.jar;
%JAVA_HOME%/lib/tools.jar;
%WLP_HOME%/clients/restConnector.jar
-J-Djavax.net.ssl.trustStore=key.jks
-J-Djavax.net.ssl.trustStorePassword=Liberty
-J-Djavax.net.ssl.trustStoreType=jks
For details check Configuring secure JMX connection to the Liberty
As an additional note - you must not have a webAppSecurity entry with loginFormURL set in your server.xml as this will cause the JMX login to fail (e.g., <webAppSecurity loginFormURL="login.html"/> is problematic). Each individual WAR needs to set their own login-config and not rely on any global method of configuring logins.
`
I'm behind a squid HTTP proxy requiring authentication and want to make API requests to an external server. However when I do so, I get the following error :
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.0 407 Proxy Authentication Required"
I've tried setting the proxy configuration by going to Control Panel > Java > Network Settings, but to no avail.
How to solve this?
You should set the proxy-settings in java.
System.getProperties().put("http.proxyHost", "someProxyURL");
System.getProperties().put("http.proxyPort", "someProxyPort");
System.getProperties().put("http.proxyUser", "someUserName");
System.getProperties().put("http.proxyPassword", "somePassword");
Copy from http://www.it.iitb.ac.in/~roshan/articles/javahttpproxy.html:
Tomcat Settings: catalina.properties
Append these properties to the catalina.properties file in Tomcat: ${CATALINA_OME}/conf/catalina.properties file:
http.proxyHost=yourProxyURL
http.proxyPort=yourProxyPort
http.proxyUser=yourUserName
http.proxyPassword=yourPassword
Tomcat Settings: catalina.bat
Add all the parameters defined above in the ${CATALINA_HOME}/bin/catalina.bat (for Windows) or ${CATALINA_HOME}/bin/catalina.bat (for *nix):
JAVA_OPTS="-Dhttp.proxyHost=yourProxyURL ..."
(Each option is seperated by spaces.)
I'm new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can't find any specifics with my constraints. Here is what I have :
An Active Directory Server on which users authenticate to log into their workstations
Each end user uses IE 7 to connect to my intranet application
An Apache server with load balancing
Some Tomcats servers acting as workers for the Apache server.
on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
my tomcats need to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client's principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I've been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user's ticket he ask it like a basic auth. Apparently spgneo
Thanks
Ok I got this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb.
On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com#MYDOM.COM
Put this keytab file on your apache server and make it readable only
by your Apache user.
Then edit your apache conf with these directive for your secure
location
apache.conf:
[…]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
[… some other stuff …]
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Authentification requise"
KrbAuthRealms MYDOM.COM
#this allows user to be saved in the request
KrbSaveCredentials on
#this one force Negotiate AuthType instead of basic fallback
KrbMethodNegotiate on
#this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user#MYDOM.COM"
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Krb5Keytab /install/binaries/httpd/apache.keytab
KrbServiceName HTTP
require valid-user
</LocationMatch>
And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is really important because without it you tomcat won't retrieve any info from tomcat auth.
Don't forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.