Bug 953200 - (6.4.0) EJB/remoting configuration does not propagate the certificate as credentials for authentication if mutual auth SSL was used for the connection
Summary: (6.4.0) EJB/remoting configuration does not propagate the certificate as cred...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB
Version: 6.0.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: DR9
: EAP 6.4.0
Assignee: Darran Lofthouse
QA Contact: Jan Martiska
URL:
Whiteboard:
Depends On: 1149618
Blocks: 1123505 1129602
TreeView+ depends on / blocked
 
Reported: 2013-04-17 15:37 UTC by Derek Horton
Modified: 2019-08-19 12:43 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1123505 (view as bug list)
Environment:
Last Closed: 2019-08-19 12:38:23 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-3580 0 Major Resolved Remoting LoginModule does not propagate the certificate as credentials for authentication if mutual auth SSL was used fo... 2016-11-04 08:24:20 UTC
Red Hat Issue Tracker WFLY-764 0 Major Resolved Enhance the security realm plug-in mechanism for client-cert / external verification. 2016-11-04 08:24:20 UTC

Description Derek Horton 2013-04-17 15:37:58 UTC
Description of problem:
EJB/remoting configuration does not propagate the certificate as credentials for authentication if mutual auth SSL was used for the connection.  This makes it impossible to use the BaseCertLoginModule for authentication with SSL protected EJBs.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Derek Horton 2013-04-17 15:47:30 UTC
Configure the 'ApplicationRealm' security-realm to have a keystore for its server-identity and using a truststore in the authentication section to force mutual authentication:

    <security-realm name="ApplicationRealm">
       <server-identities>
           <ssl>
               <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
           </ssl>
       </server-identities>
        <authentication>
           <truststore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
        </authentication>
    </security-realm>

This forces ssl with mutual auth.

Configure the security-domain that is protecting the EJB to use the Remoting and CertificateRoles login module.

               <security-domain name="jmx-console" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="securityDomain" value="jmx-console"/>
                            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                            <module-option name="rolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/roles.properties"/>
                            <module-option name="defaultRolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/defaultRoles.properties"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/server.truststore" truststore-password="123456" truststore-url="${jboss.server.config.dir}/server.truststore"/>
               </security-domain>

The issue is that the Remoting login module does not get the certficate from the connection and store it as the users credentials.  This causes the CertificateRoles login module to attempt to retrieve the certificate using a callback but that fails as well.

Comment 3 Jan Martiska 2014-07-02 10:30:26 UTC
Hi Derek, can you confirm that this is still an issue in 6.3 and needs to be addressed in 6.4 or in a 6.3.CP release? I'm trying to get rid of old unresolved EJB bugs. If this is not needed anymore, you may close it. Thanks.

Comment 4 Derek Horton 2014-07-03 13:45:03 UTC
It looks like this issue still exists.

Comment 5 Jan Martiska 2014-07-07 12:12:41 UTC
Proposing for EAP 6.4

Comment 6 Andrea Hoffer 2014-07-21 21:55:15 UTC
Strategic customer is asking for this to be included in a 6.3 CP release.

Comment 7 Darran Lofthouse 2014-07-22 09:15:24 UTC
Please liaise with GSS on how to clone BZs for 6.3.x - this BZ is for 6.4.0 only.

Comment 8 JBoss JIRA Server 2014-08-19 17:12:39 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-3580 to Coding In Progress

Comment 9 Kabir Khan 2014-08-22 15:37:42 UTC
Should be solved by remoting 3.3.3 upgrade https://bugzilla.redhat.com/show_bug.cgi?id=1129602, so setting to MODIFIED

Comment 10 Ivo Studensky 2014-09-24 14:18:04 UTC
It looks like it needs remoting upgrade to 3.3.4, see [1].

https://issues.jboss.org/browse/REM3-192

Comment 11 Darran Lofthouse 2014-09-24 14:32:55 UTC
That is correct, a Remoting upgrade is also required.

Comment 19 Jan Martiska 2014-11-14 08:54:12 UTC
Verified in EAP 6.4.0.DR9


Note You need to log in before you can comment on or make changes to this bug.