Bug 1299102 - [GSS](6.4.z) NPE when calling write-attribute on the keystore-password in SecurityRealmAddHandler.java:643
[GSS](6.4.z) NPE when calling write-attribute on the keystore-password in Sec...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.5
Unspecified Unspecified
unspecified Severity unspecified
: CR1
: EAP 6.4.12
Assigned To: Radovan Netuka
Josef Cacek
https://github.com/jbossas/jboss-eap/...
eap6412-proposed
:
Depends On:
Blocks: eap6412-payload
  Show dependency treegraph
 
Reported: 2016-01-15 18:38 EST by Brad Maxwell
Modified: 2017-01-17 08:10 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-17 08:10:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFCORE-102 Major Resolved Remove the need for OSH authors to deal with ServiceVerificationHandler or removal of installed services in rollback 2017-03-21 07:38 EDT

  None (edit)
Description Brad Maxwell 2016-01-15 18:38:56 EST
Description of problem:

Setting up a security-realm using ssl with keystore as per:

https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-6.4/how-to-configure-server-security/#one_create_a_keystore_to_secure_the_management_console

Then if we try to change the keystore-password with this CLI command:

/core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl/:write-attribute(name=keystore-password,value=newPassword)

It will fail with a NullPointerException :

[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl/:write-attribute(name=keystore-password,value=password1)
{
    "outcome" => "failed",
    "failure-description" => "JBAS014749: Operation handler failed: java.lang.NullPointerException",
    "rolled-back" => true
}

Invoking the command again will succeed and the standalone.xml will be updated correctly.

Workaround it invoke the command again.

[standalone@localhost:9999 /] /core-service=management/security-realm=ManagementRealmHTTPS/server-identity=ssl/:write-attribute(name=keystore-password,value=password1)
{"outcome" => "success"}


The server side log is below:

17:36:18,361 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) JBAS014612: Operation ("write-attribute") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "ManagementRealmHTTPS"),
    ("server-identity" => "ssl")
]): java.lang.NullPointerException
	at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addSSLServices(SecurityRealmAddHandler.java:643) [jboss-as-domain-management-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.domain.management.security.SecurityRealmAddHandler.installServices(SecurityRealmAddHandler.java:201) [jboss-as-domain-management-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.domain.management.security.SecurityRealmChildWriteAttributeHandler.recreateParentService(SecurityRealmChildWriteAttributeHandler.java:77) [jboss-as-domain-management-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.RestartParentWriteAttributeHandler.applyUpdateToRuntime(RestartParentWriteAttributeHandler.java:94) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.AbstractWriteAttributeHandler$1.execute(AbstractWriteAttributeHandler.java:135) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:702) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:537) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:314) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1144) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:331) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:201) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:208) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:135) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:153) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_45]
	at javax.security.auth.Subject.doAs(Subject.java:396) [rt.jar:1.6.0_45]
	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:94) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:153) [jboss-as-controller-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:298) [jboss-as-protocol-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:537) [jboss-as-protocol-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3]
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) [rt.jar:1.6.0_45]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) [rt.jar:1.6.0_45]
	at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Comment 9 Radovan Netuka 2016-04-06 08:14:44 EDT
Looking at the code, there is definitely something wrong. 

Just see SecurityRealmChildWriteAttributeHandler#recreateParentService. This method calls SecurityRealmAddHandler.INSTANCE.installServices with newControllers hardcoded as null.

Let's see (simplified) call stack

1. SecurityRealmChildWriteAttributeHandler#recreateParentService
2. SecurityRealmAddHandler#installServices
3. SecurityRealmAddHandler#addSSLServices

In [1], the value is passed as hardcoded null. It is not overwritten anywhere inside [2], so the variable remains set to null and is passed to [3]. Here, the code tries to call a method on this variable, thus a NullPointerException.
Comment 10 Radovan Netuka 2016-04-08 04:57:44 EDT
I've tried both fixes (as baranowb) suggested above. Unfortunatelly, the application hangs for 5 minutes after which the result is "failed" anyway.

By running setup.sh

When setting up incorrect password and performing reload (last commands of setup.sh), if you then try to change the keystore password again, it triggers restartServices=true and then removeServices inside
RestartParentWriteAttributeHandler#applyUpdateToRuntime

This subsequently calls awaitContainerStability is called with timeout 300000 (= 5 mins) in OperationContextImpl#ensureWriteLockForRuntime. But at this point, the container has incorrect keystore password set in standalone.xml, thus is not stable and the operation fails after the timeout.

Nor the remove nor writing the new password is performed.
Comment 11 Radovan Netuka 2016-04-12 09:41:04 EDT
The change above fixes the NullPointerException.

The third setting of keystore password still fails (now after 5 min timeout), but this is caused by the fact that the container has invalid configuration (wrong keystore password) and every CLI operation first waits for container validity. Since it's not valid, the operation fails with restart-required message. After container restart, the keystore password can be changed without problems.
Comment 12 Ivo Hradek 2016-11-23 10:02:09 EST
Verified with EAP 6.4.12.CP.CR1;

Note: Regarding the timeout, changing the password is still working as @Radovan explained in comment 11.
Comment 13 Petr Penicka 2017-01-17 08:10:39 EST
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Note You need to log in before you can comment on or make changes to this bug.