Bug 1327758
| Summary: | [GSS] (6.4.z) Mutual authentication with SSL fails to work with the LDAP security-realm | |||
|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | dhorton | |
| Component: | Domain Management, Security | Assignee: | Peter Palaga <ppalaga> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Simka <msimka> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.4.4 | CC: | bmaxwell, brian.stansberry, dandread, dhorton, ihradek, msochure, ppalaga, rstancel | |
| Target Milestone: | CR1 | |||
| Target Release: | EAP 6.4.16 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1455588 (view as bug list) | Environment: | ||
| Last Closed: | 2017-06-22 09:19:28 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1434495, 1455588 | |||
EAP 7 bug: https://issues.jboss.org/browse/JBEAP-4439 The upstream PR is under review https://github.com/wildfly/wildfly-core/pull/2331 Note that there is also an integration test https://github.com/wildfly/wildfly/pull/9961 > @Martin Švehla [1] > To be able to implement the test, prepare automation and integrate it into QE process we will need instances of OpenLDAP servers in our testing environment. > We will be able to provide a list of requirements for instances. Installation will be prepared by the eng-ops team. Manaully tested with OpenLDAP 2.4.44 on RHEL-7.3 and verified for EAP-6.4.16.CP.CR1; Note, that this fix is turned off by default and it might be enabled via system property `-Djboss.as.management.outbound.ldap.alwaysSendClientCert`. -- [1] https://issues.jboss.org/browse/JBEAP-10691?focusedCommentId=13420107&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13420107 Released on June 20 2017 as part of the EAP 6.4.16 maintenance release. |
Description of problem: I have configured the SSL realm as follows: <security-realms> <security-realm name="ldapSSL"> <server-identities> <ssl> <keystore path="client.keystore" keystore-password="123456"></keystore> </ssl> </server-identities> <authentication> <truststore path="client.truststore" keystore-password="123456"></truststore> </authentication> </security-realm> </security-realms> <outbound-connections> <ldap name="ldap_connection" url="ldaps://localhost:8443" search-dn="cn=Directory Manager" search-credential="test1234" security-realm="ldapSSL"></ldap> </outbound-connections> However, when the JBoss management interface is configured to use the LDAP security-realm that uses the "ldapSSL" security-realm, mutual authentication fails between JBoss and LDAP which results in an authentication failure at the JBoss management interface. There are two different LDAP connections being made. It looks like different threads handle the different LDAP requests. Interestingly, the threads do not share the SSL session so the second request triggers another handshake and this is where things break. If you use the -Djavax.net.ssl.keyStore system property instead of the SSL security realm to configure the keystore, then you can see the different threads share the SSL session so there is only one handshake.