Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 996558

Summary: Https connection hangs after adding https connector
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Petr Sakař <psakar>
Component: WebAssignee: Jean-frederic Clere <jclere>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.1, 6.2.0CC: akostadi, asoldano, brian.stansberry, jcacek, jclere, jdoyle, myarboro, nobody, tcerar
Target Milestone: CR2   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When adding an HTTPS connector via the management CLI, any attempted connection would hang, despite each command completing successful. The cause of the issue was that the connector was started as soon as it was created, yet its configuration was incomplete, preventing the connector working as expected. A workaround in this instance was to wrap the configuration commands in a `batch`, `end-batch` sequence, so that all configuration statements were completed together. The root cause of this issue has been resolved and access to a HTTP connector is successful, whether or not the configuration statements are completed in sequence or as a management CLI batch.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:17:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
server certificate
none
war with index.html none

Description Petr Sakař 2013-08-13 12:43:57 UTC 
Created attachment 786135 [details]
server certificate

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Start AS standalone server
1. Download attached war and keystore to /tmp/
2. Execute CLI command /core-service=management/security-realm=jbossws-cli-tests-https-realm/:add
Result {"outcome" => "success"}
3. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/:add(protocol="HTTP/1.1",scheme="https",secure=true, socket-binding=https,enabled=true)
Result {"outcome" => "success"}
4. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/ssl=configuration:add(password="changeit",certificate-key-file="/tmp/server.keystore",verify-client=false, key-alias=tomcat, protocol=https)
Result {"outcome" => "success"}
5. Execute CLI command deploy /tmp/test.war
Result {"outcome" => "success","result" => {"step-1" => {"outcome" => "success"},"step-2" => {"outcome" => "success"}}}
6. open in browser https://localhost:8443/test/index.html

Actual results:
page is not loaded, connection hangs


Expected results:
either page is correctly loaded 
 or 
operation result is reload required and page should not be available


Additional info:
after reload page is available
Comment 1 Petr Sakař 2013-08-13 12:44:58 UTC 
Created attachment 786136 [details]
war with index.html
Comment 2 Aleksandar Kostadinov 2013-09-21 17:17:00 UTC 
I'm also experiencing the same behavior when trying to add a native ssl connector. If I add the connector with two separate cli commands, then attempting to open a https URL results in connection hand and eventually timing out in the browser. Server restart fixes the issue.
On the other hand, using the same two commands to within a batch, makes everything work correctly.

The problem is that there is no error message in cli console or server log to indicate any problem. So user wouldn't know what's wrong.

FYI here is how I do that:
1. change native="true" in server config
2. start server
3. generate self-signed certificate with openssl
> openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout certs/localhost.key -out certs/localhost.cert
4. use the following cli commands:
> /subsystem=web/connector=https:add(enabled="true", enable-lookups="false", secure="true", scheme="https", socket-binding="https", protocol="HTTP/1.1")
> {"outcome" => "success"}
> /subsystem=web/connector=https/configuration=ssl:add(name="native-https", certificate-file="/tmp/certs/localhost.cert", certificate-key-file="/tmp/certs/localhost.key")
> {"outcome" => "success"}
5. try to open https URL

As I already said, if I wrap the cli commands within batch/run-batch, then everything works correctly.
Comment 3 Jean-frederic Clere 2013-10-23 13:41:17 UTC 
I think that is unknown bug and no possible to fix it.
The connector starts without ssl and adding ssl doesn't tell to restart the server.
Comment 4 Jean-frederic Clere 2013-10-23 13:42:11 UTC 
if you use http:// instead https:// you should get a working connection.
Comment 5 Tomaz Cerar 2013-10-24 21:51:56 UTC 
This could be quite easily fixed, by restart-parent service handler on ssl:add() operation.

A workaround would be to add whole ssl connector configuration as part of batch.
Comment 8 John Doyle 2013-10-28 19:26:19 UTC 
Jean-Fredederic,

Do you have a comment on Tomaz's suggestion?  Can we try this for 6.2?
Comment 9 Jean-frederic Clere 2013-10-30 13:06:09 UTC 
Tomaz gave me an example I have a patch I need to test...
Comment 10 Jean-frederic Clere 2013-10-30 13:59:50 UTC 
Actually when adding ssl there is already a  message:
++++
[standalone@localhost:9999 /] /subsystem=web/connector=https/:add(socket-binding=https,protocol="HTTP/1.1",scheme="https")
{"outcome" => "success"}
[standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration:add
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
+++
Comment 11 Jean-frederic Clere 2013-11-01 14:39:37 UTC 
A quick try with "restart-parent service handler on ssl:add() " doesn't seem to work. I think we should move this one to 6.3.
Comment 12 Jean-frederic Clere 2013-11-04 16:37:56 UTC 
Tomaz helped me today on the topic. It is working I will do the pull request soon.
Comment 13 Jean-frederic Clere 2013-11-04 20:56:03 UTC 
See https://github.com/jbossas/jboss-eap/pull/662
Comment 16 mark yarborough 2013-11-07 19:08:08 UTC 
Tried to re-approve for 6.2 based on comments 14, 15 from Brian and John.
Comment 20 Petr Sakař 2013-11-18 07:41:44 UTC 
Verified for EAP 6.2.0.CR2 preview using procedure described in comment#0

Result of command from step 4 is "Reload-required", page is not available before reload and is available after reload
Comment 21 Aleksandar Kostadinov 2013-11-18 08:06:40 UTC 
Was not the fix to make the restart automatic on ssl add?
Comment 22 Jean-frederic Clere 2013-11-18 09:06:08 UTC 
it does you need {allow-resource-service-restart=true }
Comment 23 Jean-frederic Clere 2013-11-22 11:07:10 UTC 
cause:
When adding a connector it is started immediately.
So when a SSL connector in 2 steps (first the connector, then ssl to the connector) the connector was running without ssl.
Note that a message is displayed asking for restart.

the rest is in the BZ...
Comment 24 Aleksandar Kostadinov 2013-11-28 05:42:08 UTC 
Russel, as far as I see now the change is that reload required is returned as status instead of success. It's not like connector is restarted by default.
Comment 25 Jean-frederic Clere 2013-11-28 08:59:40 UTC 
The reload required was already returned but the connector wasn't restarted.