Description of problem: In case server's management interface is secured, AS7 plugin may not be able to execute CLI operations, because CLI requires to accept server's certificate. This resulted into Bug 1226413. But even after Bug 1226413 is fixed, users have to log in to server's and manually accept certificate. Plugin should provide way (ie. operation), that reads SSL-related pluginConfiguration properties and updates jboss-cli.xml as recommended in https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html/Security_Guide/Using_2-way_SSL_for_the_Management_interface_and_the_CLI.html Version-Release number of selected component (if applicable): How reproducible: always
branch: master link: https://github.com/rhq-project/rhq/commit/ac7640c3c time: 2015-07-28 13:07:12 +0200 commit: ac7640c3c90124a20accae64b347c9efcaee04ff author: Libor Zoubek - lzoubek message: Bug 1236631 - Add a way to setup SSL settings in jboss-cli.xml Added operation called "Setup CLI" which can change jboss-cli.xml according to pluginConfiguration properties. It can configure SSL stuff + default controller host + port. Operation is present for Standalone and Host Controllers. When setting up jboss-cli.xml security, truststore path+password can be either taken from plugin config and written as plaintext (default) or if using vault, it can be copied from server's standalone.xml. Supports all known scheme versions of jboss-cli.xml (earlier may fail to store trustore passwords using vault)
Moving to MODIFIED as cherry-picked to release/jon3.3.x: commit: e828b787d3321a6cdad6bae805b68f8c86d69780 Author: Libor Zoubek <lzoubek> AuthorDate: Tue Jun 30 17:55:15 2015 +0200 Commit: Simeon Pinder <spinder> CommitDate: Tue Mar 8 11:54:54 2016 -0500 Bug 1236631 - Add a way to setup SSL settings in jboss-cli.xml Added operation called "Setup CLI" which can change jboss-cli.xml according
Moving to ON_QA as available for test with DR build: http://jon01.mw.lab.eng.bos.redhat.com:8042/dist/release/jon/plugins/eap/3.3/Update-03/DR02/jon-plugin-pack-eap-3.3.0.GA-update-03-DR02.zip
Tested on jon-plugin-pack-eap-3.3.0.GA-update-03-DR02.zip It still shows error: "Unable to connect due to unrecognised server certificate. Server's certificate needs to be manually accepted by user." Steps executed: 1. Register secured EAP6 into JON server which has new plugins. 2. Do all configurations and make sure EAP6 is shown UP. 3. Try to schedule some CLI command to be executed by agent on EAP6, for isntance ":whoami". Execution result will be"Unable to connect due to unrecognised server certificate. Server's certificate needs to be manually accepted by user." 4. Manually accept certificate in EAP server CLI. 5. Try to reschedule the same CLI operation, now it will fail with: "java.lang.Exception: jboss-cli execution failed with error code 1 at org.rhq.core.pc.operation.OperationInvocation.run(OperationInvocation.java:278) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)" The agent log output will be: "016-03-10 07:28:26,351 INFO [ResourceContainer.invoker.nonDaemon-3] (modules.plugins.jbossas7.util.ProcessExecutionLogger)- Output from process execution: ----------------------- org.jboss.as.cli.CliInitializationException: Failed to connect to the controller at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:299) at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:265) at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:312) at org.jboss.modules.Main.main(Main.java:473) Caused by: org.jboss.as.cli.CommandLineException: Unable to authenticate against controller at 0.0.0.0:10099 at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1045) at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:888) at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:864) at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:297) ... 8 more Caused by: javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:389) at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:243) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:183) at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) at org.xnio.nio.NioHandle.run(NioHandle.java:90) at org.xnio.nio.WorkerThread.run(WorkerThread.java:198) at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:337) at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:84) at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:103) at org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:256) at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70) at org.jboss.as.protocol.mgmt.FutureManagementChannel$Establishing.getChannel(FutureManagementChannel.java:208) at org.jboss.as.cli.impl.CLIModelControllerClient.getOrCreateChannel(CLIModelControllerClient.java:169) at org.jboss.as.cli.impl.CLIModelControllerClient$2.getChannel(CLIModelControllerClient.java:129) at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:123) at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:98) at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263) at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168) at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147) at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:75) at org.jboss.as.cli.impl.CommandContextImpl.tryConnection(CommandContextImpl.java:1036) ... 11 more"
This means that existing functionality, when manually accepted certificate, is broken as well.
Copying the discussion from IRC to make following the issue easier: <Yak> hhovsepy: There's something missing from your steps though. You did not run the "Setup CLI" part at all? <Yak> hhovsepy: That ticket is talking about adding a new operation (and nothing else) <hhovsepy> Yak, isn't is done automatically? <Yak> No <Yak> At least the description does not say so <Yak> Nor does the commit <Yak> It's just a new operation sort of like the "setup RHQ user" <Yak> And it hasn't touched any old functionality at all <hhovsepy> Yak, ok thank you for hint, will check it now with "Setup CLI" <Yak> So it can't break old functionality if you didn't run the command ;) <Yak> The "old functionality" must have been broken in some change / EAP 6.4 update / etc
Tested with "Setup CLI" operation executed, it works fine.
This requires "Setup CLI" operation mentioned in the documentation. "For being able to execute CLI operation on secured EAP side, jboss-cli needs to accept certificate, this can be done via "Setup CLI" operation"
"Plugin JBoss EAP 7" is mentioned in this BZ as well, currently with jon-plugin-pack-eap-3.3.0.GA-update-03-DR02 we did not have EAP7 plugin. This BZ needs to be put back "ON_QA" on next build when EAP7 plugin will be received. I can not put it as VERIFIED now.
EAP7 should have it's own BZ.
Cloned new BZ for EAP7 plugin: https://bugzilla.redhat.com/show_bug.cgi?id=1316623 For documentation: https://bugzilla.redhat.com/show_bug.cgi?id=1316631
Verified on jon-plugin-pack-eap-3.3.0.GA-update-03-DR02.zip