Bug 1080069
| Summary: | (6.4.0) JSSE configuration in security domain is not persisted | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> |
| Component: | CLI | Assignee: | Alexey Loubyansky <olubyans> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Petr Kremensky <pkremens> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.0 | CC: | brian.stansberry, chaowan, dandread, kkhan |
| Target Milestone: | DR1 | ||
| Target Release: | EAP 6.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I had a mistake in the second command, it should be:
/subsystem=security/security-domain=trust-domain/jsse=classic:add(truststore={password=>1234test,url=>/home/jcacek/projects/ocsp-check/build/trusted-clients.jks})
Then it works.
Nevertheless it's probably still a bug, when the original command returns:
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
Only thing we can do here is improve validation for truststore & keystore attributes. pull request https://github.com/jbossas/jboss-eap/pull/1465 Kabir Khan <kabir.khan> updated the status of jira WFLY-3492 to Reopened I closed https://github.com/jbossas/jboss-eap/pull/1465, as per the discussion on https://issues.jboss.org/browse/WFLY-3492. It is a CLI issue, assigning to Alexey As discussed on WFLY-3492 this is not an issue in the security subsystem, it is rather how jboss cli is parsing complex parameters
The usage of '=>' in truststore=>{...} is wrong
/subsystem=security/security-domain=trust-domain/jsse=classic:add(truststore=>{password=>1234test,url=>/home/jcacek/projects/ocsp-check/build/trusted-clients.jks})
This ends up with truststore having a value of ">".
The correct syntax is to use '=', i.e. truststore={...}
Alexey's patch tightens up the validation to only allow the usage of '='/
Alexey Loubyansky <alex> updated the status of jira WFLY-3492 to Resolved Verified on EAP 6.4.0.DR1.1, command from description won't pass the validation now. |
When adding a jsse configuration in security domain through CLI, it's not persisted correctly. Steps to reproduce: * Run CLI (./jboss-cli.sh -c) and use this commands to configure new security domain: /subsystem=security/security-domain=trust-domain:add /subsystem=security/security-domain=trust-domain/jsse=classic:add(truststore=>{password=1234test,url=/home/jcacek/projects/ocsp-check/build/trusted-clients.jks}) reload * check standalone.xml, where should be sth. like <security-domain name="trust-domain"> <jsse truststore-password="1234test" truststore-url="/home/jcacek/projects/ocsp-check/build/trusted-clients.jks"/> </security-domain> But there is: <security-domain name="trust-domain"> <jsse/> </security-domain>