Description of problem: EJB/remoting configuration does not propagate the certificate as credentials for authentication if mutual auth SSL was used for the connection. This makes it impossible to use the BaseCertLoginModule for authentication with SSL protected EJBs. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Configure the 'ApplicationRealm' security-realm to have a keystore for its server-identity and using a truststore in the authentication section to force mutual authentication: <security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/> </ssl> </server-identities> <authentication> <truststore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/> </authentication> </security-realm> This forces ssl with mutual auth. Configure the security-domain that is protecting the EJB to use the Remoting and CertificateRoles login module. <security-domain name="jmx-console" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="CertificateRoles" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="securityDomain" value="jmx-console"/> <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/> <module-option name="rolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/roles.properties"/> <module-option name="defaultRolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/defaultRoles.properties"/> </login-module> </authentication> <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/server.truststore" truststore-password="123456" truststore-url="${jboss.server.config.dir}/server.truststore"/> </security-domain> The issue is that the Remoting login module does not get the certficate from the connection and store it as the users credentials. This causes the CertificateRoles login module to attempt to retrieve the certificate using a callback but that fails as well.
Hi Derek, can you confirm that this is still an issue in 6.3 and needs to be addressed in 6.4 or in a 6.3.CP release? I'm trying to get rid of old unresolved EJB bugs. If this is not needed anymore, you may close it. Thanks.
It looks like this issue still exists.
Proposing for EAP 6.4
Strategic customer is asking for this to be included in a 6.3 CP release.
Please liaise with GSS on how to clone BZs for 6.3.x - this BZ is for 6.4.0 only.
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-3580 to Coding In Progress
Should be solved by remoting 3.3.3 upgrade https://bugzilla.redhat.com/show_bug.cgi?id=1129602, so setting to MODIFIED
It looks like it needs remoting upgrade to 3.3.4, see [1]. https://issues.jboss.org/browse/REM3-192
That is correct, a Remoting upgrade is also required.
Verified in EAP 6.4.0.DR9