Bug 1027695 - Some configuration options for JSSE configuration are not used by installer.
Some configuration options for JSSE configuration are not used by installer.
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Installer (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity high
: CR2
: EAP 6.2.0
Assigned To: Francisco Canas
Petr Kremensky
Russell Dickenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-07 05:03 EST by Petr Kremensky
Modified: 2014-09-03 00:57 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:55:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Kremensky 2013-11-07 05:03:45 EST
Description of problem:
 There are some options which are not applied during configuration of JSSE element.
List of configuration options:
 - Cipher suites used by SSLContext
 - Protocols used by SSLContext
 - Alias of client-side keystore
 - Alias of server-side keystore
 - Third party validation token

Version-Release number of selected component (if applicable):
 EAP 6.2.0.ER7

How reproducible:
 Always

Steps to Reproduce:
 1. Run GUI installer. Go to Post-install configuration using default values.
 2. Choose to add a Security-domain. Pres "Next" on first Security-domain Configuration screen to get to JSSE configuration screen.
 3. Choose to add JSSE element. 
 4. Enter some values for:
 - Cipher suites used by SSLContext
 - Protocols used by SSLContext
 - Alias of client-side keystore
 - Alias of server-side keystore
 - Third party validation token
 5. Choose to add keystore/truststore element to be able to finish the installation.
 6. Start the server (you may see some error in logs If you enter some dummy values during configuration, ignore them)
 7. Navigate to $JBOSS_HOME/bin directory and run:
 - ./jboss-cli.sh -c /subsystem=security/security-domain=mySecurityDomain/jsse=classic:read-resource

Actual results:
listed options are not configured
{
    "outcome" => "success",
    "result" => {
        "additional-properties" => undefined,
        "cipher-suites" => undefined,
        "client-alias" => undefined,
        "client-auth" => undefined,
        "key-manager" => undefined,
        "keystore" => {
            "password" => "password",
            "type" => "JKS",
            "url" => "/home/pkremens/dummy.keystore"
        },
        "protocols" => undefined,
        "server-alias" => undefined,
        "service-auth-token" => undefined,
        "trust-manager" => undefined,
        "truststore" => undefined
    }
}

Expected results:
 cipher-suites, protocols, server-alias, client-alias ,and client-auth are configured with values entered in step 4.
Comment 1 Francisco Canas 2013-11-07 10:09:52 EST
I've corrected the variable names for the above properties, and the installer now sets them correctly during the post-install phase.

See: 
http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=05a511866b6402355df05a466ca12fed3fa8e6a3
Comment 2 Petr Kremensky 2013-11-15 04:01:27 EST
There is another bug in this. The command for creating jsse element is using wrong attribute names.

Actual:
... ,clientalias="server",serveralias="client" ...

Expected:
... ,client-alias="server",server-alias="client" ...

How about some validation that CLI batch ended with success for the future?
Comment 3 Francisco Canas 2013-11-15 10:28:50 EST
I've corrected the names of these two variables so the correct command is sent to the CLI.

See:
http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=10ae2134f9985e87124ad0d28c1b8de31913e35b
and
http://git.app.eng.bos.redhat.com/jbossas-installer.git/commit/?h=eap-6.2&id=a9e0e7e6a675de07749da6a3a80b8ecd8b5fa0ab

As to the validation:
Many of these CLI commands use only the variables/elements that are filled out by the user, so it's entirely possible (although very bad) that we hadn't tested client-alias and server-alias before, and thus never got the FAIL from the cli for using the wrong attribute names.

What will do for the future is create some xml installer configurations that we can run in auto-mode to test all of the different post-install fields. This way we'll hopefully catch more of these before ER/CR releases.
Comment 4 Petr Kremensky 2013-11-19 06:31:17 EST
Verified on EAP 6.2.0.CR2 isntaller, all configuration options listed above are now used.

Note You need to log in before you can comment on or make changes to this bug.