I need help understanding what I am missing here. I have an application running on Wildfly 26.1.3. I have a java application that uses JNDI to get access to java objects running on the server. While using an insecure port (9090 in this case), it can access everything it needs to. When I try to secure the port, the JNDI lookup's no longer work.
Here is example code that works with an insecure configuration:
Hashtable<String, String> p = new Hashtable<String, String>();
p.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFacName);
p.put(Context.PROVIDER_URL, providerURL);
Context jndiContext = new InitialContext(p);
// DEBUG - lists objects available to this jndiContext, which it is unable to get on HTTPS
List<NameClassPair> tmp = Collections.list(jndiContext.list(""));
The java client code is being called with the -Djavax.net.ssl.trustStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreType=Windows-ROOT passed to the Java VM starting the client.
When I run the above client code with the server configured for HTTPS on 9090, here's the Error I get:
javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is java.io.IOException: Invalid response]
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:105)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
at org.wildfly.naming.client.remote.RemoteContext.lambda$listNative$6(RemoteContext.java:263)
at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:222)
at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
at org.wildfly.naming.client.remote.RemoteContext.listNative(RemoteContext.java:262)
at org.wildfly.naming.client.AbstractFederatingContext.list(AbstractFederatingContext.java:269)
at org.wildfly.naming.client.AbstractFederatingContext.list(AbstractFederatingContext.java:42)
at org.wildfly.naming.client.WildFlyRootContext.list(WildFlyRootContext.java:272)
at java.naming/javax.naming.InitialContext.list(InitialContext.java:453)
at com.rsc.mmpl.util.JMSSubscriber.init(JMSSubscriber.java:267)
at com.rsc.mmpl.appletutil.JMSSubscriber.init(JMSSubscriber.java:210)
at com.rsc.mmpl.appletutil.ServerNotificationRouter.init(ServerNotificationRouter.java:246)
at com.rsc.mmpl.application.impl.EquinoxApplication.initializeJMSBridge(EquinoxApplication.java:759)
at com.rsc.mmpl.application.impl.EquinoxApplication.login(EquinoxApplication.java:248)
at com.rsc.mmpl.application.osgi.EquinoxApplicationActivator.propsFileLoaded(EquinoxApplicationActivator.java:255)
at com.rsc.mmpl.application.impl.EquinoxApplication$3$1.run(EquinoxApplication.java:569)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Caused by: java.io.IOException: Invalid response
at org.xnio.http.HttpUpgradeParser.parseVersion(HttpUpgradeParser.java:164)
at org.xnio.http.HttpUpgradeParser.parse(HttpUpgradeParser.java:55)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:419)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.flushUpgradeChannel(HttpUpgrade.java:369)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.access$900(HttpUpgrade.java:165)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:340)
at org.xnio.http.HttpUpgrade$HttpUpgradeState$ConnectionOpenListener.handleEvent(HttpUpgrade.java:320)
at org.xnio.http.HttpUpgrade$HttpUpgradeState.upgradeExistingConnection(HttpUpgrade.java:315)
at org.xnio.http.HttpUpgrade.performUpgrade(HttpUpgrade.java:144)
at org.jboss.remoting3.remote.HttpUpgradeConnectionProvider$UpgradeListener.handleEvent(HttpUpgradeConnectionProvider.java:174)
at org.jboss.remoting3.remote.HttpUpgradeConnectionProvider$UpgradeListener.handleEvent(HttpUpgradeConnectionProvider.java:153)
at org.jboss.remoting3.remote.RemoteConnectionProvider$6.handleDone(RemoteConnectionProvider.java:283)
at org.jboss.remoting3.remote.RemoteConnectionProvider$6.handleDone(RemoteConnectionProvider.java:250)
at org.xnio.IoFuture$HandlingNotifier.notify(IoFuture.java:208)
at org.xnio.AbstractIoFuture$NotifierRunnable.run(AbstractIoFuture.java:720)
at org.xnio.IoUtils$2.execute(IoUtils.java:71)
at org.xnio.AbstractIoFuture.runNotifier(AbstractIoFuture.java:693)
at org.xnio.AbstractIoFuture$CompleteState.withNotifier(AbstractIoFuture.java:132)
at org.xnio.AbstractIoFuture.addNotifier(AbstractIoFuture.java:570)
at org.jboss.remoting3.remote.RemoteConnectionProvider.createSslConnection(RemoteConnectionProvider.java:250)
at org.jboss.remoting3.remote.HttpUpgradeConnectionProvider.createSslConnection(HttpUpgradeConnectionProvider.java:135)
at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:206)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:648)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565)
at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)
at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)
at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499)
at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445)
at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)
at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:105)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
at org.wildfly.naming.client.remote.RemoteContext.lambda$listNative$6(RemoteContext.java:263)
at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:222)
at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
at org.wildfly.naming.client.remote.RemoteContext.listNative(RemoteContext.java:262)
at org.wildfly.naming.client.AbstractFederatingContext.list(AbstractFederatingContext.java:269)
at org.wildfly.naming.client.AbstractFederatingContext.list(AbstractFederatingContext.java:42)
at org.wildfly.naming.client.WildFlyRootContext.list(WildFlyRootContext.java:272)
at java.naming/javax.naming.InitialContext.list(InitialContext.java:453)
at com.rsc.mmpl.util.JMSSubscriber.init(JMSSubscriber.java:267)
at com.rsc.mmpl.appletutil.JMSSubscriber.init(JMSSubscriber.java:210)
at com.rsc.mmpl.appletutil.ServerNotificationRouter.init(ServerNotificationRouter.java:246)
at com.rsc.mmpl.application.impl.EquinoxApplication.initializeJMSBridge(EquinoxApplication.java:759)
at com.rsc.mmpl.application.impl.EquinoxApplication.login(EquinoxApplication.java:248)
at com.rsc.mmpl.application.osgi.EquinoxApplicationActivator.propsFileLoaded(EquinoxApplicationActivator.java:255)
at com.rsc.mmpl.application.impl.EquinoxApplication$3$1.run(EquinoxApplication.java:569)
at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:599)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:565)
at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)
at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)
at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:499)
at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:445)
at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentityPrivileged(RemoteNamingProvider.java:151)
at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$getFuturePeerIdentity$0(RemoteNamingProvider.java:138)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getFuturePeerIdentity(RemoteNamingProvider.java:138)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:106)
... 31 more
Standalone.xml for Wildfly server, truncated to the important parts. Note that the undertow configuration has a commented out https-listener element. I enable that one and disable the http-listener above it to change port 9090 to https:
<subsystem xmlns="urn:wildfly:elytron:15.1" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
</aggregate-providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
<provider-loader name="openssl" module="org.wildfly.openssl"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<security-domains>
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<properties-realm name="ManagementRealm">
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
</security-realms>
<mappers>
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission-set name="default-permissions"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
</simple-permission-mapper>
<constant-realm-mapper name="local" realm-name="local"/>
<simple-role-decoder name="groups-to-roles" attribute="groups"/>
<constant-role-mapper name="super-user-mapper">
<role name="SuperUser"/>
</constant-role-mapper>
</mappers>
<permission-sets>
<permission-set name="login-permission">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-set>
<permission-set name="default-permissions">
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
</permission-sets>
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
<property name="wildfly.sasl.local-user.challenge-path" value="${jboss.server.temp.dir}/auth"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="applicationKS">
<credential-reference clear-text="password"/>
<implementation type="Windows-ROOT" provider-name="SunMSCAPI"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="applicationKM" key-store="applicationKS">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
</server-ssl-contexts>
</tls>
<credential-stores>
<credential-store name="MMCredStore" relative-to="jboss.server.data.dir" path="fapsCred.cs" create="true">
<credential-reference clear-text="cleartextpassword"/>
</credential-store>
</credential-stores>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" />
</subsystem>
<subsystem xmlns="urn:jboss:domain:messaging-activemq:8.0">
<server name="default">
<statistics enabled="${wildfly.messaging-activemq.statistics-enabled:${wildfly.statistics-enabled:false}}"/>
<security enabled="false"/>
<address-setting name="#" dead-letter-address="jms.queue.DLQ" expiry-address="jms.queue.ExpiryQueue" max-size-bytes="10485760" page-size-bytes="2097152" message-counter-history-day-limit="10"/>
<http-connector name="http-connector" socket-binding="http" endpoint="http-acceptor"/>
<http-connector name="http-connector-throughput" socket-binding="http" endpoint="http-acceptor-throughput">
<param name="batch-delay" value="50"/>
</http-connector>
<in-vm-connector name="in-vm" server-id="0">
<param name="buffer-pooling" value="false"/>
</in-vm-connector>
<http-acceptor name="http-acceptor" http-listener="default"/>
<http-acceptor name="http-acceptor-throughput" http-listener="default">
<param name="batch-delay" value="50"/>
<param name="direct-deliver" value="false"/>
</http-acceptor>
<in-vm-acceptor name="in-vm" server-id="0">
<param name="buffer-pooling" value="false"/>
</in-vm-acceptor>
...
<connection-factory name="InVmConnectionFactory" entries="java:/ConnectionFactory java:/com.rsc.mmpl.TopicConnectionFactory java:/com.rsc.mmpl.Log4jTopicConnectionFactory" connectors="in-vm"/>
<connection-factory name="RemoteConnectionFactory" retry-interval="1000" reconnect-attempts="1000" entries="java:jboss/exported/jms/RemoteConnectionFactory java:jboss/exported/com.rsc.mmpl.TopicConnectionFactory java:jboss/exported/com.rsc.mmpl.Log4jTopicConnectionFactory" connectors="http-connector"/>
<pooled-connection-factory name="activemq-ra" transaction="xa" entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory" connectors="in-vm"/>
</server>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<!-- <https-listener name="default" socket-binding="http" ssl-context="applicationSSC" enable-http2="true"/> -->
<https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
...
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="http" port="${jboss.http.port:9090}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
...
</socket-binding-group>
My client code does use jboss-client.jar, so I'm rather sure I'll need to update the configuration of my wildfly-config.xml file that the client reads. Trouble is, I don't know how to configure that to use the Windows-ROOT certificate store like the server is using. Here's the wildfly-client.xml as it stands... Could anyone instruct me on what to add to this file to allow my client JNDI lookups to communicate successfully with my server?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<jboss-ejb-client xmlns="urn:jboss:wildfly-client-ejb:3.0">
<connections>
<connection uri="remote+http://<FQDNofHost>:9090"/>
</connections>
</jboss-ejb-client>
</configuration>
Found that adding this to my wildfly-config.xml fixed the issue: