I'm struggling to configure Artemis 2.4.0 management console to use the same
client certificate based JAAS realm.
CertLogin {
org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule
required
debug=true
org.apache.activemq.jaas.textfiledn.user="certificate-users.properties"
org.apache.activemq.jaas.textfiledn.role="certificate-roles.properties"
reload=true;
};
I've reached point where users that are not listed in
certificate-users.properties are rejected but those that are listed here are
prompted for user / password on default console form:
08:42:58,720 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:42:59,010 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for plugin
08:42:59,924 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled is
set to value false
08:42:59,925 INFO [io.hawt.web.keycloak.KeycloakServlet] Keycloak integration
is disabled
08:42:59,925 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for keycloak
08:43:00,012 DEBUG [io.hawt.system.ConfigManager] Property
authenticationEnabled is set to value true
08:43:00,013 DEBUG [io.hawt.system.ConfigManager] Property keycloakEnabled is
set to value false
08:43:00,013 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for user
08:43:00,157 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:00,204 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:01,730 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for refresh
08:43:02,784 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for img
08:43:02,853 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:03,068 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:11,646 DEBUG [io.hawt.web.RedirectFilter] Accessing /console/login, which
isn't valid, returning index.html
08:43:12,448 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:12,669 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for plugin
08:43:13,717 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for keycloak
08:43:13,861 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for user
08:43:13,863 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:13,931 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:15,215 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
but allowing request for img
08:43:15,418 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
08:43:15,420 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication enabled,
denying request for jolokia
Configuration of console seems ok with clientAuth enabled:
<web keyStorePath="/tmp/host.net.jks" keyStorePassword="host.net"
clientAuth="true" bind="https://host.net:8443"; path="web"
trustStorePath="/opt/truststore.jks" trustStorePassword="truststore">
<app url="activemq-branding" war="activemq-branding.war"/>
<app url="artemis-plugin" war="artemis-plugin.war"/>
<app url="console" war="console.war"/>
</web>
Hawt.io is logging out actual configuration and proper realm is mentioned here:
08:27:06,502 DEBUG [io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery]
Realm explicit configured CertLogin. Apache Tomcat userdata authentication
integration not in use.
08:27:06,502 INFO [io.hawt.web.AuthenticationFilter] Starting hawtio
authentication filter, JAAS realm: "CertLogin" authorized role(s): "amq" role
principal classes:
"org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
User that I'm testing has a amq role attached. User certificate is provided by
default to each request.
To verify if JAAS configuration is ok I've connected to a broker using
technical certificate also listed in the same configuration file and it was
successful.
09:31:06,061 DEBUG [io.netty.handler.ssl.SslHandler] [id: 0x484ffd99,
L:/10.205.36.164:61617 - R:/10.195.113.9:52093] HANDSHAKEN:
TLS_RSA_WITH_AES_128_CBC_SHA256
09:31:06,153 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader]
Initialized debug
09:31:06,154 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
Certificate for user: S113635
09:31:06,154 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
commit
09:31:06,188 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoader]
Initialized debug
09:31:06,188 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
Certificate for user: S113635
09:31:06,188 DEBUG
[org.apache.activemq.artemis.spi.core.security.jaas.CertificateLoginModule]
commit
09:31:06,441 DEBUG
[org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl]
RemotingServiceImpl::removing connection ID 484ffd99
Is there a way to use certificate based user login to management console? If
yes what I should look into to fix?
Kind regards
Marcin Stefaniuk
CREDIT SUISSE (POLAND) SP. Z O.O
Solution Architect | Messaging Engineering Warsaw, MITM 47
Atrium 2 | 00-849 Warsaw | Poland
marcin.stefan...@credit-suisse.com<mailto:marcin.stefan...@credit-suisse.com> |
www.credit-suisse.com<http://www.credit-suisse.com/>
===============================================================================
Please access the attached hyperlink for an important electronic communications
disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================
