Bug 1277389
| Summary: | Default values for secure-socket-protocol parameters in rhq-server.properties and standalone-full.xml need updated to a valid protocol | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Operations Network | Reporter: | bkramer <bkramer> |
| Component: | Configuration | Assignee: | Simeon Pinder <spinder> |
| Status: | CLOSED ERRATA | QA Contact: | vsorokin <vsorokin> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | JON 3.3.4 | CC: | fbrychta, jshaughn, loleary, mfoley, mshirley, spinder, stianlund+bugzilla, tfonteyn, vsorokin |
| Target Milestone: | ER01 | Keywords: | Regression, Triaged |
| Target Release: | JON 3.3.5 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-03 15:03:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1277391 | ||
| Bug Blocks: | |||
Please note that the actual defaults are defined in standalone-full.xml provided by the JBoss ON server installer. The defaults in standalone-full.xml need to be updated. In addition, the values are also explicitly re-set in the default rhq-server.properties file. Therefore, the explicit settings need updated as well. Simeon, is this standalone-full.xml coming from productization EAP 6.4 part? Moving to ON_QA as available to test with the following brew build: JON Cumulative patch build: https://brewweb.devel.redhat.com/buildinfo?buildID=469635 *Note: jon-server-patch-3.3.0.GA.zip maps to DR01 build of jon-server-3.3.0.GA-update-05.zip. Reproduced in steps with parameters: unzipped from jon-server-3.3.0.GA.zip -- (edit by hands) jon-server-3.3.0.GA/bin/rhq-server.properties: rhq.communications.connector.transport=sslservlet rhq.communications.connector.bind-address= rhq.communications.connector.bind-port= rhq.communications.connector.transport-params=/jboss-remoting-servlet-invoker/ServerInvokerServlet rhq.server.tomcat.security.client-auth-mode=false rhq.server.client.security.server-auth-mode-enabled=false -- rhq-agent/conf/agent-configuration.xml: <entry key="rhq.communications.connector.transport" value="sslsocket" /> <entry key="rhq.agent.server.transport" value="sslservlet" /> <entry key="rhq.agent.server.bind-port" value="7443" /> -- bin/rhqctl.sh install --start bin/rhqctl.sh status first check of https://10.16.23.123:7443/ bin/rhqctl.sh stop -- unzip from jon-server-patch-3.3.0.GA.zip -> jon-server-3.3.0.GA-update-05/ apply-updates.sh <path-to-jon-3.3.0> -- second check of https://10.16.23.123:7443/ BINGO: No error is thrown and attempt to log in using https and 7443 works fine. RESOLUTION -> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-0118.html |
Description of problem: Currently, security.secure-socket-protocol parameters from rhq-server.properties file are set as: ** rhq.server.client.security.secure-socket-protocol=TLS ** rhq.communications.connector.security.secure-socket-protocol=TLS ** rhq.server.tomcat.security.secure-socket-protocol=TLS This worked fine in all versions until JBoss ON 3.3.4. However, in JBoss ON 3.3.4, protocol without version is not accepted any more. So, above "TLS" value should be replaced with "TLSv1,TLSv1.1,TLSv1.2". Version-Release number of selected component (if applicable): JBoss ON 3.3.4 How reproducible: Always Steps to Reproduce: 1. Install JBoss ON 3.3.0; 2. Try to navigate to https://<jon-server-ip>:7443 and confirm that this works fine; 3. Upgrade to JBoss ON 3.3.4 4. Navigate to https://<jon-server-ip>:7443 and confirm that this failed. Actual results: Attempt to log in using https and 7443 port fails and on Firefox the following error is shown ssl_error_no_cypher_overlap. The same attempt on Chrome fails with ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Expected results: No error is thrown and attempt to log in using https and 7443 works fine. Additional info: