Bug 1327758 - [GSS] (6.4.z) Mutual authentication with SSL fails to work with the LDAP security-realm
Summary: [GSS] (6.4.z) Mutual authentication with SSL fails to work with the LDAP secu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management, Security
Version: 6.4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.16
Assignee: Peter Palaga
QA Contact: Martin Simka
URL:
Whiteboard:
Depends On:
Blocks: eap6416-payload 1455588
TreeView+ depends on / blocked
 
Reported: 2016-04-15 21:09 UTC by dhorton
Modified: 2021-06-10 11:16 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
: 1455588 (view as bug list)
Environment:
Last Closed: 2017-06-22 09:19:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-10691 0 Blocker Closed [GSS](7.1.z) mutual authentication with SSL fails to work with the LDAP security-realm 2018-08-10 20:51:15 UTC
Red Hat Issue Tracker JBEAP-4439 0 Major Closed [GSS](7.0.z) mutual authentication with SSL fails to work with the LDAP security-realm 2018-08-10 20:51:15 UTC
Red Hat Issue Tracker WFCORE-2647 0 Major Resolved Add an option to always send the client SSL certificate to LDAP server 2018-08-10 20:51:15 UTC
Red Hat Issue Tracker WFLY-8631 0 Major Closed Integration test for WFCORE-2647 Add an option to always send the client SSL certificate to LDAP server 2018-08-10 20:51:15 UTC

Description dhorton 2016-04-15 21:09:31 UTC 
Description of problem:

I have configured the SSL realm as follows:


    <security-realms>
        <security-realm name="ldapSSL">
          <server-identities>
            <ssl>
              <keystore path="client.keystore" keystore-password="123456"></keystore>
            </ssl>
          </server-identities>
          <authentication>
            <truststore path="client.truststore" keystore-password="123456"></truststore>
          </authentication>
        </security-realm>
    </security-realms>
    <outbound-connections>
        <ldap name="ldap_connection" url="ldaps://localhost:8443" search-dn="cn=Directory Manager" search-credential="test1234" security-realm="ldapSSL"></ldap>
    </outbound-connections>

However, when the JBoss management interface is configured to use the LDAP security-realm that uses the "ldapSSL" security-realm, mutual authentication fails between JBoss and LDAP which results in an authentication failure at the JBoss management interface.


There are two different LDAP connections being made. It looks like different threads handle the different LDAP requests. Interestingly, the threads do not share the SSL session so the second request triggers another handshake and this is where things break. If you use the -Djavax.net.ssl.keyStore system property instead of the SSL security realm to configure the keystore, then you can see the different threads share the SSL session so there is only one handshake.
Comment 1 dhorton 2016-04-29 16:38:26 UTC 
EAP 7 bug: https://issues.jboss.org/browse/JBEAP-4439
Comment 11 Peter Palaga 2017-04-27 07:09:04 UTC 
The upstream PR is under review https://github.com/wildfly/wildfly-core/pull/2331

Note that there is also an integration test https://github.com/wildfly/wildfly/pull/9961
Comment 15 Ivo Hradek 2017-06-19 06:21:04 UTC 
> @Martin Švehla [1]
> To be able to implement the test, prepare automation and integrate it into QE process we will need instances of OpenLDAP servers in our testing environment.
> We will be able to provide a list of requirements for instances. Installation will be prepared by the eng-ops team.
Manaully tested with OpenLDAP 2.4.44 on RHEL-7.3 and verified for EAP-6.4.16.CP.CR1;

Note, that this fix is turned off by default and it might be enabled via system property `-Djboss.as.management.outbound.ldap.alwaysSendClientCert`.
--
[1] https://issues.jboss.org/browse/JBEAP-10691?focusedCommentId=13420107&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13420107
Comment 16 Petr Penicka 2017-06-22 09:19:28 UTC 
Released on June 20 2017 as part of the EAP 6.4.16 maintenance release.
Note You need to log in before you can comment on or make changes to this bug.