Wildfly 10 - Authentication failure in domain mode

Question

I meet misunderstanding situation.

I try to set Wildfly 10.1.0 on Ubuntu 16.04 to work in domain mode. To testing I have additional virtual machine.

Base system: Domain Controller

Virtual Machine: Host Controller

Generally to configuration I'm using wildfly documentation but it doesn't work correct.

Without authentication Host Server can connect to Domain Controller, but problem occur when I want use authentication - there is some strange behavior which I don't understand.

On domain controller:

1. set everything in host-master.xml
2. create Management User with below option:

user: test

password: test

Is this new user going to be used for one AS process to connect to another AS process? e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls. yes/no? yes To represent the user add the following to the server-identities definition secret value="dGVzdA=="

3.server start without problem using domain.sh --host-config=host-master.xml

On Host Controller:

1. set everything in host-slave.xml with secret value:

           <security-realm name="ManagementRealm">
               <server-identities>
                   <secret value="dGVzdA==" />
               </server-identities>
               <authentication>
                   <local default-user="$local" skip-group-loading="true"/>
                   <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
               </authentication>
               <authorization map-groups-to-roles="false">
                   <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
               </authorization>
           </security-realm>
   

   2. start server using domain.sh --host-config=host-slave.xml

When I am starting server obtain following error:

*[Host Controller] 22:23:03,553 WARN [org.jboss.as.host.controller] **(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://192.168.56.1:9999 -- java.lang.IllegalStateException: WFLYHC0043: Unable to connect due to authentication failure.*

./domain.sh --host-config=host-slave.xml
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /home/test1/Warsztat/wildfly

  JAVA: java

  JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

22:22:59,931 INFO  [org.jboss.modules] (main) JBoss Modules version 1.5.2.Final
22:23:00,212 INFO  [org.jboss.as.process.Host Controller.status] (main) WFLYPC0018: Starting process 'Host Controller'
[Host Controller] 22:23:01,207 INFO  [org.jboss.modules] (main) JBoss Modules version 1.5.2.Final
[Host Controller] 22:23:01,521 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
[Host Controller] 22:23:01,586 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) starting
[Host Controller] 22:23:02,624 INFO  [org.xnio] (MSC service thread 1-1) XNIO version 3.4.0.Final
[Host Controller] 22:23:02,634 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.4.0.Final
[Host Controller] 22:23:02,741 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /home/test1/Warsztat/wildfly/domain/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
[Host Controller] 22:23:02,752 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 4.0.21.Final
[Host Controller] 22:23:02,834 INFO  [org.jboss.as.remoting] (MSC service thread 1-1) WFLYRMT0001: Listening on 192.168.56.111:9999
[Host Controller] 22:23:03,553 WARN  [org.jboss.as.host.controller] **(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain controller remote://192.168.56.1:9999 -- java.lang.IllegalStateException: WFLYHC0043: Unable to connect due to authentication failure.**
[Host Controller] 22:23:03,554 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0147: No domain controller discovery options remain.
[Host Controller] 22:23:03,555 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0002: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain controller discovery option(s) but unable to connect
[Host Controller] 22:23:03,556 FATAL [org.jboss.as.host.controller] (Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
[Host Controller] 22:23:03,603 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) stopped in 22ms
[Host Controller] 
22:23:04,063 INFO  [org.jboss.as.process.Host Controller.status] (reaper for Host Controller) WFLYPC0011: Process 'Host Controller' finished with an exit status of 99
22:23:04,066 INFO  [org.jboss.as.process] (Thread-8) WFLYPC0017: Shutting down process controller
22:23:04,066 INFO  [org.jboss.as.process] (Thread-8) WFLYPC0016: All processes finished; exiting

But if I add name="test" on Host Controller to host-slave.xml file like below (name must be the same as a user management creating in Domain Controller) it works!

<host xmlns="urn:jboss:domain:4.2" name="test">

I completely don't understand it and I can't find any explanation that situation? Any body knows why do I have to add name="test"?

Answer 1

Ok - I found explanations.

In Security Realms documentation is information about how to define your own username for authentication:

By default when a slave host controller authenticates against the master domain controller it uses its configured name as its username. If you want to override the username used for authentication a username attribute can be added to the element.

In my cases I have to add user name like below:

<domain-controller>
        <remote security-realm="ManagementRealm" username="atest">
            <discovery-options>
                <static-discovery name="primary" protocol="${jboss.domain.master.protocol:remote}" host="${jboss.domain.master.address:192.168.56.1}" port="${jboss.domain.master.port:9999}"/>
            </discovery-options>
        </remote>
</domain-controller>

And now I can set name freely.

Answer 2

This is expected behavior. You need to mention name in host-slave.xml same as user name created on master EAP. With the help of that only master instance able to authenticate slave instance.

In wildfly documentation too they created user slave and used same in host-slave.xml file.