Overview
In this blog, we will discuss how to set up a JBoss domain controller node and slave host node to allow users stored on LDAP server to authenticate against the JBoss Http and native management interfaces. Users will be authenticated using LDAP over SSL. We will demonstrate this for users stored on both OpenLDAP using 1 way SSL whereby the JBoss server verifies the identity of the LDAP server host.Software Prerequisites
We used the following software during this test setup:
1. OpenLDAP-2.4.39 (windows)
2. JBoss 6.1.1
3. JDK Hotspot 1.7.0_51
4 (Optional LDAP Browser tool) JXplorer
Test Topology
In this blog, we will not discuss the details on how to use OpenSSL or the JDK keytool utilities to generate new certificates, to create a new keystore or to import certificates into the keystore we use. The principal focus is on how to configure JBoss cluster nodes to authenticate users stored in an external LDAP directory whereby communication between the JBoss Domain Controller and the LDAP server is over SSL.
 |
| Figure 1 |
In Figure 1, we provide a broad overview of the test environment used. The environment consists of a 2 node JBoss cluster whereby the domain and host controller are on different host machines and there is another host machine in this environment which runs the OpenLDAP user repository.
SSL and Certificate Generation
In the test setup above, we used the OpenSSL and the JDK keytool utility to do the following:
1. Generate a new self-signed certificate using OpenSSL. We should ensure the common name (CN) matches the host name of the machine the LDAP server resides on.
2. Configure OpenLDAP to use the new certificate. This can be done either by using JXplorer or by modifying the OpenLDAP server configuration file (slapd.conf) like below where ldapserver.pem is the name of the new certificate:
TLSCertificateFile ./secure/certs/ldapserver.pem
TLSCertificateKeyFile ./secure/certs/ldapserver.pem
TLSCACertificateFile ./secure/certs/ldapserver.pem
3. Create a new keystore which will be used by the JBoss domain controller node and import the self signed certificate from step 1 above into the new keystore to be used by JBoss. The keystore used by the JBoss domain controller node is held in the directory <JBOSS_HOME>/domain/configuration/client.keystore
4. Add a new user to the directory server with these credentials:
username: uid=davew, ou=People,dc=maxcrc,dc=com
password: password
4. Add a new user to the directory server with these credentials:
username: uid=davew, ou=People,dc=maxcrc,dc=com
password: password
Now that the LDAP server has been configured to use the new certificate and the keystore has been setup for use by the domain Controller node, we will now setup both JBoss nodes in the cluster to authenticate against user in the LDAP directory over SSL.
JBoss Configuration
There are a number of steps which we must perform to configure both the domain controller and remote host controller nodes to communicate with the LDAP server over SSL. We will now discuss each.
Domain Controller Setup
There are 4 main configuration steps which we must perform to setup the domain controller node to authenticate against the LDAP server over SSL. All these steps are performed in the host controller configuration file (in this case host.xml) residing on the domain controller node.
1. Setup a new security realm in the host.xml configuration file and configure the realm and in particular the authentication element with a new LDAP connection name, base-dn which points to the path/directory where users are held and user id attribute so that when a search is performed using a user with search privileges on the directory server, users will be searched using the directory server uid attribute :
<security-realm name="LdapSSLConnection">
<authentication>
<ldap connection="ldapremote" base-dn="ou=People,dc=maxcrc,dc=com" recursive="true"> <username-filter attribute="uid"/>
</ldap>
</authentication>
</security-realm>
2. Create a new outbound connection whereby we provide details on the host and SSL port the LDAP server is listening on along with the credentials of the user who has permission to search the directory server as below. In this case, the user cn=Manager,dc=maxcrc,dc=com has administrative permissions to perform searches.
<outbound-connections>
<ldap name="ldapremote" url="ldaps://dwinters-pc:636" searchdn="cn=Manager,dc=maxcrc,dc=com" search-credential="secret"/>
</outbound-connections>
3. We now need to configure the native and http management interfaces to use the new LDAP security realm.
<management-interfaces>
<native-interface security-realm="LdapSSLConnection">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="LdapSSLConnection">
<socket interface="management" port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
4. The last step is to configure each server running on the domain controller node with the location of the truststore and the password. We do so by providing these details via the system-properties element on each server.
<server name="server-one" group="main-server-group">
<system-properties>
<property name="javax.net.ssl.trustStore" value="C:\Users\dwinters\Downloads\jboss-eap-6.1\jboss-eap-6.1\domain\configuration\client.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="password"/>
</system-properties>
</server>
Remote Host Controller
There is no special configuration needed on the remote controller node. Since access to the management interfaces is performed on the domain controller node, we just need to specify in the host controller configuration file (host.xml) the address of the domain controller of the cluster and the encryted password of an authenticated LDAP user via the server-identities element so that this node can register successfully with the domain controller as below:
<domain-controller>
<remote host="${jboss.domain.master.address:<remote_host_name>" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealmNative" username="davew"/>
</domain-controller>
<server-identities>
<secret value="<encryptedpassword>"/>
</server-identities>
Testing
We will now attempt to login on the domain controller node to the management administration console and using the jboss CLI tool using the details of a user stored on the LDAP server. In the Figures below, we can observe that when we navigate to the management console on http://<hostname>:9990/console, we are prompted for the LDAP user details and also when we login to the jboss CLI tool we are once again prompted for the username and password.
If you encounter any issues while authenticating users and wish to debug exceptions further, it is very useful to switch on debug logging on the Java SSL packages which will provide details on where the connection is failing between the JBoss server and LDAP server, whether this be a failure to negotiate a common cipher suite between the jboss server and LDAP server or otherwise. To turn on debug logging, set this Java command line property in the domain.conf file on the domain controller node:
-Djavax.net.debug=all
Next steps
We could further extend the JBoss configuration above to use its vault utility so that plain text passwords which are in the domain controller configuration files are stored in a password keystore hosted on the domain controller node. The setup and use of vault is quite straightforward and provides an extra layer of security to store sensitive details.
![]()
