Issue Details (XML | Word | Printable)

Key: GLASSFISH-16151
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Tim Quinn
Reporter: easarina
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
glassfish

enable-secure-admin fails badly if user specifies non-existent aliases

Created: 03/Mar/11 04:58 PM   Updated: 07/Apr/11 03:37 PM   Resolved: 04/Mar/11 12:45 PM
Component/s: admin
Affects Version/s: None
Fix Version/s: 3.1.1_b01

Time Tracking:
Not Specified

Tags:
Participants: easarina, Tim Quinn and Tom Mueller


 Description  « Hide

Build 43, Sparc machine. Executed the follow steps:
1) Created a new domain:
asadmin --passwordfile ./password.txt --user admin create-domain --domaindir /opt/glassfish3/glassfish/domains --adminport 12345 --instanceport 9876 --savemasterpassword=true --usemasterpassword=true --savelogin=false --checkports=true --nopassword=false domain13
Using port 12345 for Admin.
Using port 9876 for HTTP Instance.
Default port 7676 for JMS is in use. Using 48200
Default port 3700 for IIOP is in use. Using 48201
Default port 8181 for HTTP_SSL is in use. Using 48202
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Default port 8686 for JMX_ADMIN is in use. Using 48203
Using default port 6666 for OSGI_SHELL.
Using default port 9009 for JAVA_DEBUGGER.
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=jed-asqe-7,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=jed-asqe-7-instance,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
No domain initializers found, bypassing customization step
Domain domain13 created.
Domain domain13 admin port is 12345.
Domain domain13 admin user is "admin".
Command create-domain executed successfully.

2) Started the domain
3) Created a cluster: asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost create-cluster c1
Command create-cluster executed successfully.
4)Created an instance: asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost create-instance --cluster c1 --node localhost-domain13 in1

Command _create-instance-filesystem executed successfully.
Port Assignments for server instance in1:
JMX_SYSTEM_CONNECTOR_PORT=28691
JMS_PROVIDER_PORT=27681
HTTP_LISTENER_PORT=28085
ASADMIN_LISTENER_PORT=24853
JAVA_DEBUGGER_PORT=29009
IIOP_SSL_LISTENER_PORT=23820
IIOP_LISTENER_PORT=23700
OSGI_SHELL_TELNET_PORT=26666
HTTP_SSL_LISTENER_PORT=28186
IIOP_SSL_MUTUALAUTH_PORT=23920
The instance, in1, was created on host localhost
Command create-instance executed successfully.
5) Started an instance:
asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost start-local-instance --node localhost-domain13 in1
Waiting for in1 to start ..............................
Successfully started the instance: in1
instance Location: /opt/glassfish3/glassfish/nodes/localhost-domain13/in1
Log File: /opt/glassfish3/glassfish/nodes/localhost-domain13/in1/logs/server.log
Admin Port: 24853
Command start-local-instance executed successfully.
6) Stopped the instance:
asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost stop-instance in1
The instance, in1, is stopped.
Command stop-instance executed successfully.
7) Executed enable-secure-admin: asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost enable-secure-admin --adminalias adtest --instancealias intest
WARNING: Instance in1 seems to be offline; command enable-secure-admin was not replicated to that instance
Command enable-secure-admin completed with warnings.
8) Started an instance:
jed-asqe-7#/export/home] asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost start-local-instance --node localhost-domain13 in1
Waiting for in1 to start ....................
Successfully started the instance: in1
instance Location: /opt/glassfish3/glassfish/nodes/localhost-domain13/in1
Log File: /opt/glassfish3/glassfish/nodes/localhost-domain13/in1/logs/server.log
Admin Port: 24853
Command start-local-instance executed successfully.
9) Tried to execute enable-secure-admin again:
asadmin --passwordfile ./password.txt --user admin --port 12345 --host localhost enable-secure-admin --adminalias adtest --instancealias intest
remote failure: An error occurred during replication
FAILURE: Command enable-secure-admin failed on server instance in1: java.net.SocketException: Unexpected end of file from server
Command enable-secure-admin failed.

In the instance in1 server.log during step 9 were created such messages:
=============================================================================
[#|2011-03-03T16:27:24.721-0800|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=19;_ThreadName=Thread-1;|GRIZZLY0007: SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:455)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:361)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:237)
at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:202)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:451)
... 14 more

#]

[#|2011-03-03T16:27:24.748-0800|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=19;_ThreadName=Thread-1;|GRIZZLY0007: SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:455)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:361)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:237)
at com.sun.grizzly.config.HttpProtocolFinder.find(HttpProtocolFinder.java:109)
at com.sun.grizzly.config.ConfigProtocolFinderWrapper.find(ConfigProtocolFinderWrapper.java:72)
at com.sun.grizzly.portunif.PUReadFilter.findProtocol(PUReadFilter.java:512)
at com.sun.grizzly.portunif.PUReadFilter.execute(PUReadFilter.java:188)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:451)
... 17 more

#]

[#|2011-03-03T16:27:24.763-0800|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=19;_ThreadName=Thread-1;|GRIZZLY0059: PortUnification exception.
java.lang.NullPointerException
at com.sun.grizzly.config.SSLConfigHolder.createSSLEngine(SSLConfigHolder.java:205)
at com.sun.grizzly.config.HttpProtocolFinder.find(HttpProtocolFinder.java:116)
at com.sun.grizzly.config.ConfigProtocolFinderWrapper.find(ConfigProtocolFinderWrapper.java:72)
at com.sun.grizzly.portunif.PUReadFilter.findProtocol(PUReadFilter.java:512)
at com.sun.grizzly.portunif.PUReadFilter.execute(PUReadFilter.java:188)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)

#]

[#|2011-03-03T16:27:24.772-0800|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=20;_ThreadName=Thread-1;|GRIZZLY0059: PortUnification exception.
java.lang.NullPointerException
at com.sun.grizzly.config.SSLConfigHolder.createSSLEngine(SSLConfigHolder.java:205)
at com.sun.grizzly.config.HttpProtocolFinder.find(HttpProtocolFinder.java:116)
at com.sun.grizzly.config.ConfigProtocolFinderWrapper.find(ConfigProtocolFinderWrapper.java:72)
at com.sun.grizzly.portunif.PUReadFilter.findProtocol(PUReadFilter.java:512)
at com.sun.grizzly.portunif.PUReadFilter.execute(PUReadFilter.java:188)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)

#]

[#|2011-03-03T16:27:24.783-0800|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=21;_ThreadName=Thread-1;|GRIZZLY0059: PortUnification exception.
java.lang.NullPointerException
at com.sun.grizzly.config.SSLConfigHolder.createSSLEngine(SSLConfigHolder.java:205)
at com.sun.grizzly.config.HttpProtocolFinder.find(HttpProtocolFinder.java:116)
at com.sun.grizzly.config.ConfigProtocolFinderWrapper.find(ConfigProtocolFinderWrapper.java:72)
at com.sun.grizzly.portunif.PUReadFilter.findProtocol(PUReadFilter.java:512)
at com.sun.grizzly.portunif.PUReadFilter.execute(PUReadFilter.java:188)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)

#]
=======================================================================

I believe in any case such error messages should not be created.



easarina added a comment - 03/Mar/11 05:40 PM

I believe this issue happened because were used not existent aliases.
I've created a new domain. started a domain, then executed:
enable-secure-admin --adminalias adtest --instancealias intest

After that tried to execute restart-domain. The restart-domain never returned a prompt. Based on the domain server.log, the domain was stopped, but it was not started, in sever.log appeared countless number of the same messages:

;|GRIZZLY0059: PortUnification exception.
java.lang.NullPointerException
at com.sun.grizzly.config.SSLConfigHolder.createSSLEngine(SSLConfigHolder.java:205)
at com.sun.grizzly.config.HttpProtocolFinder.find(HttpProtocolFinder.java:116)
at com.sun.grizzly.config.ConfigProtocolFinderWrapper.find(ConfigProtocolFinderWrapper.java:72)
at com.sun.grizzly.portunif.PUReadFilter.findProtocol(PUReadFilter.java:512)
at com.sun.grizzly.portunif.PUReadFilter.execute(PUReadFilter.java:188)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)


Tom Mueller added a comment - 04/Mar/11 06:58 AM

The user error here appears to be that the domain was not restarted after running enable-secure-admin. We already have an issue open for having the command output a warning that the domain needs to be restarted after any command that triggers a required restart (issue GLASSFISH-14925). Maybe this is a duplicate of that issue.


Tim Quinn added a comment - 04/Mar/11 07:31 AM

Tom is correct; the initial error was because the domain was not restarted before further commands were issued.

My hope is that in a future release of GlassFish that Grizzly can handle the config changes for secure admin without requiring a restart, but unless and until that happens the restart will remain required.

Separately from that, Elena has identified a bug in that the enable-secure-admin command does not valid the alias names if the user specifies them. I am going to change the summary line of this issue to reflect that defect and will work with the security team to find out the best way to validate alias names.


Tim Quinn added a comment - 04/Mar/11 07:32 AM

Changing the summary to reflect that the alias names are not validated, and that seems to lead to spectacular errors.


easarina added a comment - 04/Mar/11 08:17 AM

If a user mistakenly would use a wrong alias name and then stop domain, it would be impossible to start domain after that.


Tim Quinn added a comment - 04/Mar/11 12:45 PM

Fix checked in.

Project: glassfish
Repository: svn
Revision: 45408
Author: tjquinn
Date: 2011-03-04 20:02:10 UTC
Link:

Log Message:
------------
Fix for 16151

The enable-secure-admin command lets users specify the DAS alias, the instance alias, or both (or neither). The code did not validate the alias, and specifying an alias not present in the keystore caused numerous error messages.

These changes validate the alias names (if specified) and report problems in the action report.

Revisions:
----------
45408

Modified Paths:
---------------
trunk/v3/cluster/admin/src/main/java/com/sun/enterprise/v3/admin/cluster/EnableSecureAdminCommand.java
trunk/v3/cluster/admin/src/main/java/com/sun/enterprise/v3/admin/cluster/SecureAdminConfigUpgrade.java
trunk/v3/cluster/admin/src/main/java/com/sun/enterprise/v3/admin/cluster/LocalStrings.properties
trunk/v3/cluster/admin/src/main/java/com/sun/enterprise/v3/admin/cluster/SecureAdminCommand.java