A background process active on my Wildfly 10.0.0.Final needs to connect to a webservice using Axis. On the remote server, there is a self-signed certificate, which I imported in a truststore using openssl to get it from the remote server and they keytool to create the truststore and import the certificate into it.
I set up my Wildfly 10.0.0.Final's standalone.xml like this:
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir"
keystore-password="mykeystorepassword" alias="myalias"
key-password="mykeypass" />
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir"
keystore-password="mytruststorepassword" />
</authentication>
</security-realm>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" />
<https-listener name="default-ssl" security-realm="SSLRealm" socket-binding="https" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
</host>
</server>
but still, when the background process tries to connect to the remote service, I obtain the following exception:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
Any idea how to solve this issue? It seems like the truststore is not being used or something like this...
I had the same problem and could only solve it by adding parameters to the startup script for wildfly:
-Djavax.net.ssl.trustStore=foo.jks
-Djavax.net.ssl.trustStorePassword=bar
which, of course, overrides the default cacerts.
But I am unclear why the truststore defined in the security-realm seems to be ignored.
Related
Maybe this question already has but I think there is a different situation.
I configure all required things from the web config file and install certificates.
I consume java web service in ASP.NET WEB API.
SOAP service was configured mutual authentication. (Two-way SSL)
I have 2 Keystore files. (client.jks and truststore.jks)
My full error: This could be due to the fact that the server certificate is
not configured properly with HTTP.SYS in the HTTPS case.
This could also be caused by a mismatch of the security binding between
the client and the server.'
WebConfig:
<customBinding>
<binding name="MyBinding">
<textMessageEncoding messageVersion="Soap11"/>
<security authenticationMode="MutualCertificate" enableUnsecuredResponse="true" allowSerializedSigningTokenOnReply="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
includeTimestamp="false">
</security>
<httpsTransport />
</binding>
</customBinding>
<endpoint behaviorConfiguration="ClientCredentialsBehavior" address="https://abc.bank.dm:9193/Money/Money" binding="customBinding" bindingConfiguration="MyBinding" contract="Ref.Port" name="Port">
<identity>
<dns value="test"/>
</identity>
</endpoint>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCredentialsBehavior">
<clientCredentials>
<clientCertificate findValue="2d73n94087857dndyr874ydr"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="d346n32d48938w43d943095d"
storeLocation="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindByThumbprint" />
<authentication certificateValidationMode="None" revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
Try to specify the same protocol on the client and server. Add the following code in the client:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
Here is the reference: TLS 1.2
Running Wildfly 16, I specify a security domain in my application's WEB-INF/jboss-web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>MyDomain</security-domain>
</jboss-web>
In Wildfly's standalone.xml in the undertow section I specify that security domain as application security domain as follows:
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
<application-security-domains>
<application-security-domain name="MyDomain" security-domain="OAuth2Domain"/>
</application-security-domains>
Next, in the elytron section I specify the security domain as follows:
<subsystem xmlns="urn:wildfly:elytron:6.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
...
<security-domain name="OAuth2Domain" default-realm="OAuth2Realm" permission-mapper="default-permission-mapper">
<realm name="OAuth2Realm"/>
</security-domain>
Of course, also OAuth2Realm is subsequently defined and Wildfly starts without complaint. However, when accessing the application through http, Wildfly always uses the security domain "other" in the legacy security section, rather than my security domain in the elytron section. How can I force Wildfly to use my Elytron security domain?
Found the solution: The application is using programmatic login using a JAAS login context, but this knows only the security domains defined in the legacy security system. To login programmatically against a domain in the elytron system an elytron authentication context must be used, as described in https://docs.jboss.org/author/display/WFLY/Client%20Authentication%20with%20Elytron%20Client.html
I have two Wildfly 18 instances running locally: n1 and n2. I would like instance n2 to consume instance n1's produced messages in order to take steps towards a HA scenario.
After reading the RH EAP docs,
I have done the following:
1- Defined a Exposed JMS Queue on n2. Also, I added security settings and Remote Factory in the ActiveMQ Submodule:
[...]
<server name="default">
<security-setting name="#">
<role name="guest" send="true" consume="true" create-non-durable-queue="true" delete-non-durable-queue="true"/>
</security-setting>
[...]
<jms-queue name="testQueue" entries="queue/test java:jboss/exported/jms/queue/test"/>
<connection-factory name="RemoteConnectionFactory" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector" ha="true" block-on-acknowledge="true" reconnect-attempts="-1"/>
</server>
[...]
2- I configured JGroups via TCPPING with an initial list of nodes to join the cluster, in order to achieve cluster discovery:
[...]
<protocol type="org.jgroups.protocols.TCPPING">
<property name="initial_hosts">127.0.0.1[8600]</property>
<property name="port_range">0</property>
</protocol>
[...]
3- Then I brought up the two instances, and there I get the following messages in the app logs:
(Thread-12 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6#7124120f)) AMQ221027: Bridge ClusterConnectionBridge#c6997b5 [name=$.artemis.internal.sf.my-cluster.f3561996-f354-11ea-83cc-4c32759d60cf, queue=QueueImpl[name=$.artemis.internal.sf.my-cluster.f3561996-f354-11ea-83cc-4c32759d60cf, postOffice=PostOfficeImpl [server=ActiveMQServerImpl::serverUUID=c9af42f1-f354-11ea-8e25-4c32759d60cf], temp=false]#2747e684 targetConnector=ServerLocatorImpl (identity=(Cluster-connection-bridge::ClusterConnectionBridge#c6997b5 [name=$.artemis.internal.sf.my-cluster.f3561996-f354-11ea-83cc-4c32759d60cf, queue=QueueImpl[name=$.artemis.internal.sf.my-cluster.f3561996-f354-11ea-83cc-4c32759d60cf, postOffice=PostOfficeImpl [server=ActiveMQServerImpl::serverUUID=c9af42f1-f354-11ea-8e25-4c32759d60cf], temp=false]#2747e684 targetConnector=ServerLocatorImpl [initialConnectors=[TransportConfiguration(name=http-connector, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?httpUpgradeEndpoint=http-acceptor&activemqServerName=default&httpUpgradeEnabled=true&port=<port_number>&host=localhost], discoveryGroupConfiguration=null]]::ClusterConnectionImpl#1775690639[nodeUUID=c9af42f1-f354-11ea-8e25-4c32759d60cf, connector=TransportConfiguration(name=http-connector, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?httpUpgradeEndpoint=http-acceptor&activemqServerName=default&httpUpgradeEnabled=true&port=8323&host=localhost, address=jms, server=ActiveMQServerImpl::serverUUID=c9af42f1-f354-11ea-8e25-4c32759d60cf])) [initialConnectors=[TransportConfiguration(name=http-connector, factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory) ?httpUpgradeEndpoint=http-acceptor&activemqServerName=default&httpUpgradeEnabled=true&port=<port_number>&host=localhost], discoveryGroupConfiguration=null]] is connected
But when I try to send messages from n1 to n2 using the following JNDI conf,
java.naming.factory.initial = org.wildfly.naming.client.WildFlyInitialContextFactory
java.naming.provider.url = remote://localhost:8323
java.naming.security.principal = ***
java.naming.security.credentials = ***
Connection Factory JNDI name = jms/RemoteConnectionFactory
Queue JNDI name = jms/queue/test
... I get this error after a certain timeout (~30s):
javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is java.io.IOException: JBREM000202: Abrupt close on Remoting connection 4ba0f2c1 to localhost/127.0.0.1:8323 of endpoint (anonymous)
I have tried to connect to the same queue using a simple JMS client (https://plugins.jetbrains.com/plugin/10949-jms-messenger), and I was actually able to connect, as I at least got the following error:
ERROR [com.my.app.Receiver] (Thread-14 (ActiveMQ-client-global-threads)) Unknown message: ActiveMQMessage[ID:5f71e993-f377-11ea-acfc-169f02eb582c]:PERSISTENT/ClientMessageImpl[messageID=442, durable=true, address=jms.queue.test,userID=5f71e993-f377-11ea-acfc-169f02eb582c,properties=TypedProperties[__AMQ_CID=5f684ca0-f377-11ea-acfc-169f02eb582c,_AMQ_ROUTING_TYPE=1]]
Could you please hint me on what is wrong and explain why that is? Thanks a lot
I solved this issue by working on the Wildfly and JNDI configuration. Though the error message was very generic, at least in my case, the following Wildfly config:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:8.0">
<server name="default">
<http-acceptor name="http-acceptor-throughput" http-listener="messaging">
<param name="batch-delay" value="50"/>
<param name="direct-deliver" value="false"/>
</http-acceptor>
...
<http-connector name="http-connector-throughput" socket-binding="messaging-throughput" endpoint="http-acceptor-throughput">
<param name="batch-delay" value="50"/>
</http-connector>
...
<jms-queue name="test" entries="queue/test java:jboss/exported/jms/test"/>
<broadcast-group name="bg-group1" jgroups-cluster="activemq-cluster" broadcast-period="5000" connectors="http-connector"/>
<discovery-group name="dg-group1" jgroups-cluster="activemq-cluster"/>
...
<connection-factory name="RemoteConnectionFactory" entries="java:jboss/exported/jms/RemoteConnectionFactory" connectors="http-connector" ha="true" block-on-acknowledge="true" reconnect-attempts="-1"/>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="messaging-remoting-connector" connector-ref="messaging-http" security-realm="ApplicationRealm"/>
</subsystem>
...
<socket-binding-group ... >
...
<socket-binding name="messaging" port="8323"/>
<socket-binding name="messaging-throughput" port="8324"/>
...
</socket-binding-group>
Worked with the following JNDI config:
java.naming.factory.initial = org.wildfly.naming.client.WildFlyInitialContextFactory
java.naming.provider.url = remote://localhost:8323
java.naming.security.principal = ***
java.naming.security.credentials = ***
Connection Factory JNDI name = jms/RemoteConnectionFactory
Queue JNDI name = jms/test
Also, as the principal/credentials were not part of the ApplicationRealm, I started getting a 403 HTTP response code (upon calling the messaging endpoint). In order to get that working too, I had to add the user and related credential using the add-user.sh script (found in the Wildfly /bin folder).
When ever I try to run my web application which was running fine before I keep getting the error
java.lang.IllegalArgumentException: C:\Users\user\.IntelliJIdea2019.2\system\tomcat\projectName\conf\localhost-rsa.jks (The system cannot find the file specified)
So I diged into the problem and found my server.xml
<Server port="8090" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
</Realm>
<Host name="localhost" appBase="C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps" unpackWARs="true" autoDeploy="true" deployOnStartup="false" deployIgnore="^(?!(manager)|(tomee)$).*">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Here I think the problem is there is a connector element with port 8443 which refers to the certificate , As I do not need https I remove the connector and restart the server from IntelliJ but the connector re appears and I have'nt specified any https port in run configuration too.
What Am I doing wrong ? How could I fix this ?
Remove redirectPort="8443", redirectPort used for handling https
<Connector port="8009" protocol="AJP/1.3" />
redirect port will come into picture when SSL request will come to the server and since http connector port cannot handle SSL requests it will redirect to the port defined.
Check your project application server settings.
Create new application server use that for running app.
https://www.jetbrains.com/help/idea/configuring-and-managing-application-server-integration.html
I think you got code from somewhere which has settings for httpd and you cant figure out how to remove it.
Check your project application server settings.
Create new application server use that for running app.
https://www.jetbrains.com/help/idea/configuring-and-managing-application-server-integration.html
I think you got code from somewhere which has settings for httpd and you cant figure out how to remove it.
Check for JKS file or create new.
JKS stands for Java KeyStore. It is a repository of certificates (signed public keys) and [private] keys. You can export a certificate stored in a JKS file into a separate file. You can use the "keytool" utility found in Java distributions to maintain your JKS trust and key repositories. Like other types of key repositories (e.g., PKCS12, CMS), a JKS repository is protected by a password because it may contain private keys, which must be protected because they are used to decrypt information encrypted by public keys. [Private] keys in repositories are also protected by a "key password," which may be the same as the key repository's password (not a good practice).
The following command would export the certificate associated with the alias/label "mycert" in the JKS file "mykeys.jks". The output file "mycert.cer" would contain the certificate (i.e., the signed public key) only.
keytool -exportcert -rfc -alias mycert -file mycert.cer -keystore mykeys.jks -storepass passw0rd
I am trying to configure one way ssl self signed on jboss-as-7.1.1.Final.
i have created a keystore using java keytool
following is the command i have used to generate the keystore
keytool -genkey -alias foo -keyalg RSA -keystore foo.keystore -validity 10950
the keystore was generated. i have alos modified the standalone.xml file
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="8443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="password" certificate-key-file="D:\Projects\Fiserv\certificate\self signed\foo.keystore" protocol="TLSv1" verify-client="true"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
http wprks fine, but when i use https, i get the below error
Certificate-based authentication failed
Hide details
This server requires a certificate for authentication, and didn't accept the one sent by the browser. Your certificate may have expired, or the server may not trust its issuer. You can try again with a different certificate, if you have one, or you may have to obtain a valid certificate from elsewhere.
Error code: ERR_BAD_SSL_CLIENT_AUTH_CERT
You need to set verify-client="true" to false. You have now specified that the client must also present a certificate (ie. mutual authentication). Thats also what the error code says: ERR_BAD_SSL_CLIENT_AUTH_CERT