Appendix A. Reference Material

A.1. Elytron Subsystem Components Reference

Table A.1. add-prefix-role-mapper Attributes

AttributeDescription

prefix

The prefix to add to each role.

Table A.2. add-suffix-role-mapper Attributes

AttributeDescription

suffix

The suffix to add to each role.

Table A.3. aggregate-http-server-mechanism-factory Attributes

AttributeDescription

http-server-mechanism-factories

The list of HTTP server factories to aggregate.

Table A.4. aggregate-principal-decoder Attributes

AttributeDescription

principal-decoders

The list of principal decoders to aggregate.

Table A.5. aggregate-principal-transformer Attributes

AttributeDescription

principal-transformers

The list of principal transformers to aggregate.

Table A.6. aggregate-providers Attributes

AttributeDescription

providers

The list of referenced Provider[] resources to aggregate.

Table A.7. aggregate-realm Attributes

AttributeDescription

authentication-realm

Reference to the security realm to use for authentication steps. This is used for obtaining or validating credentials.

authorization-realm

Reference to the security realm to use for loading the identity for authorization steps.

Table A.8. aggregate-role-mapper Attributes

AttributeDescription

role-mappers

The list of role mappers to aggregate.

Table A.9. aggregate-sasl-server-factory Attributes

AttributeDescription

sasl-server-factories

The list of SASL server factories to aggregate.

Table A.10. authentication-configuration Attributes

AttributeDescription

anonymous

If true anonymous authentication is allowed. The default is false.

authentication-name

The authentication name to use.

authorization-name

The authorization name to use.

credential-reference

The credential to use for authentication. This can be in clear text or as a reference to a credential stored in a credential-store.

extends

An existing authentication configuration to extend.

host

The host to use.

kerberos-security-factory

Reference to a kerberos security factory used to obtain a GSS kerberos credential.

mechanism-properties

Configuration properties for the SASL authentication mechanism.

port

The port to use.

protocol

The protocol to use.

realm

The realm to use.

sasl-mechanism-selector

The SASL mechanism selector string. See sasl-mechanism-selector Grammar for usage information.

security-domain

Reference to a security domain to obtain a forwarded identity.

Table A.11. authentication-context Attributes

AttributeDescription

extends

An existing authentication context to extend.

match-rules

The rules to match against for this authentication context.

Table A.12. authentication-context match-rules Attributes

AttributeDescription

match-abstract-type

The abstract type to match against.

match-abstract-type-authority

The abstract type authority to match against.

match-host

The host to match against.

match-local-security-domain

The local security domain to match against.

match-no-user

If true, rule will match against no user.

match-path

The patch to match against.

match-port

The port to match against.

match-protocol

The protocol to match against.

match-urn

The URN to match against.

match-user

The user to match against.

authentication-configuration

Reference to the authentication configuration to use for a successful match.

ssl-context

Reference to the ssl-context to use for a successful match.

Table A.13. caching-realm Attributes

AttributeDescription

maximum-age

The time in milliseconds that an item can stay in the cache. A value of -1 keeps items indefinitely. This defaults to -1.

maximum-entries

The maximum number of entries to keep in the cache. This defaults to 16.

realm

A reference to a cacheable security realm such as jdbc-realm, ldap-realm, filesystem-realm or a custom security realm.

Table A.14. certificate-authority-account Attributes

AttributeDescription

alias

The alias of certificate authority account key in the keystore. If the alias does not already exist in the keystore, a certificate authority account key will be automatically generated and stored as a PrivateKeyEntry under the alias.

certificate-authority

The name of the certificate authority to use. The default, and only allowed value, is LetsEncrypt.

contact-urls

A list of URLs that the certificate authority can contact about any issues related to this account.

credential-reference

The credential to be used when accessing the certificate authority account key.

key-store

The keystore that contains the certificate authority account key.

Table A.15. chained-principal-transformer Attributes

AttributeDescription

principal-transformers

List of principal transformers to chain.

Table A.16. client-ssl-context Attributes

AttributeDescription

cipher-suite-filter

The filter to apply to specify the enabled cipher suites. This filter takes a list of items delimited by colons, commas, or spaces. Each item may be a OpenSSL-style cipher suite name, a standard SSL/TLS cipher suite name, or a keyword such as TLSv1.2 or DES. A full list of keywords as well as additional details on creating a filter can be found in the Javadoc for the CipherSuiteSelector class. The default value is DEFAULT, which corresponds to all known cipher suites that do not have NULL encryption and excludes any cipher suites that have no authentication.

key-manager

Reference to the key-manager to use within the SSLContext.

protocols

The enabled protocols. Allowed options: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. This defaults to enabling TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.

Warning

Red Hat recommends that SSLv2, SSLv3, and TLSv1.0 be explicitly disabled in favor of TLSv1.1 or TLSv1.2 in all affected packages.

provider-name

The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext.

providers

The name of the providers to obtain the Provider[] to use to load the SSLContext.

session-timeout

The timeout for SSL sessions.

trust-manager

Reference to the trust-manager to use within the SSLContext.

Table A.17. concatenating-principal-decoder Attributes

AttributeDescription

joiner

The string that will be used to join the values in the principal-decoders attribute.

principal-decoders

The list of principal decoders to concatenate.

Table A.18. configurable-http-server-mechanism-factory Attributes

AttributeDescription

filters

The list of filters to be applied in order to enable or disable mechanisms based on the name.

http-server-mechanism-factory

Reference to the http server factory to be wrapped.

properties

Custom properties to be passed in to the HTTP server factory calls.

Table A.19. configurable-http-server-mechanism-factory filters Attributes

AttributeDescription

pattern-filter

Filter based on a regular expression pattern.

enabling

If true the filter will be enabled if the mechanism matches. This defaults to true.

Table A.20. configurable-sasl-server-factory Attributes

AttributeDescription

filters

List of filters to be evaluated sequentially and combined using or.

properties

Custom properties to be passed in to the SASL server factory calls.

protocol

The protocol passed into the factory when creating the mechanism.

sasl-server-factory

Reference to the SASL server factory to be wrapped.

server-name

The server name passed into the factory when creating the mechanism.

Table A.21. configurable-sasl-server-factory filters Attributes

AttributeDescription

predefined-filter

A predefined filter to use to filter the mechanism name. Allowed values are HASH_MD5, HASH_SHA, HASH_SHA_256, HASH_SHA_384, HASH_SHA_512, GS2, SCRAM, DIGEST, IEC_ISO_9798, EAP, MUTUAL, BINDING, and RECOMMENDED.

pattern-filter

A filter for the mechanism name based on a regular expression.

enabling

If true the filter will be enabled if the factory matches. This defaults to true.

Table A.22. constant-permission-mapper Attributes

AttributeDescription

permission-sets

The permission sets to assign in the event of a match. Permission sets can be used to assign permissions to an identity.

permission-sets can take the following attribute:

  • permission-set

    A reference to a permission set.

Note

The permissions attribute is deprecated, and is replaced by permission-sets.

Table A.23. constant-principal-decoder Attributes

AttributeDescription

constant

The constant value the principal decoder will always return.

Table A.24. constant-principal-transformer Attributes

AttributeDescription

constant

The constant value this principal transformer will always return.

Table A.25. constant-realm-mapper Attributes

AttributeDescription

realm-name

Reference to the realm that will be returned.

Table A.26. constant-role-mapper Attributes

AttributeDescription

roles

The list of roles that will be returned.

Table A.27. credential-store Attributes

AttributeDescription

create

Specifies whether the credential store should create storage when it does not exist.

credential-reference

The reference to the credential used to create protection parameter. This can be in clear text or as a reference to a credential stored in a credential-store.

implementation-properties

Map of credentials store implementation-specific properties.

location

The file name of the credential store storage.

modifiable

Whether the credential store is modifiable.

other-providers

The name of the providers to obtain the providers to search for the one that can create the required JCA objects within the credential store. This is valid only for keystore-based credential store. If this is not specified, then the global list of providers is used instead.

provider-name

The name of the provider to use to instantiate the CredentialStoreSpi. If the provider is not specified, then the first provider found that can create an instance of the specified type will be used.

providers

The name of the providers to obtain the providers to search for the one that can create the required credential store type. If this is not specified, then the global list of providers is used instead.

relative-to

The base path this credential store path is relative to.

type

Type of the credential store, for example, KeyStoreCredentialStore.

Table A.28. credential-store alias

AttributeDescription

entry-type

Type of credential entry stored in the credential store.

secret-value

Secret value such as password.

Table A.29. credential-store KeyStoreCredentialStore implementation properties

AttributeDescription

cryptoAlg

Cryptographic algorithm name to be used to encrypt decrypt entries at external storage. This attribute is only valid if external is enabled. Defaults to AES.

external

Whether data is stored to external storage and encrypted by the keyAlias. Defaults to false.

externalPath

Specifies path to external storage. This attribute is only valid if external is enabled.

keyAlias

The secret key alias within the credential store that is used to encrypt or decrypt data to the external storage.

keyStoreType

The keystore type, such as PKCS11. Defaults to KeyStore.getDefaultType().

Table A.30. custom-credential-security-factory Attributes

AttributeDescription

configuration

The optional key and value configuration for the custom security factory.

class-name

The class name of the implementation of the custom security factory.

module

The module to use to load the custom security factory.

Table A.31. custom-modifiable-realm Attributes

AttributeDescription

configuration

The optional key and value configuration for the custom realm.

class-name

The class name of the implementation of the custom realm.

module

The module to use to load the custom realm.

Table A.32. custom-permission-mapper Attributes

AttributeDescription

configuration

The optional key and value configuration for the permission mapper.

class-name

Fully qualified class name of the permission mapper.

module

Name of the module to use to load the permission mapper.

Table A.33. custom-principal-decoder Attributes

AttributeDescription

configuration

The optional key and value configuration for the principal decoder.

class-name

Fully qualified class name of the principal decoder.

module

Name of the module to use to load the principal decoder.

Table A.34. custom-principal-transformer Attributes

AttributeDescription

configuration

The optional key and value configuration for the principal transformer.

class-name

Fully qualified class name of the principal transformer.

module

Name of the module to use to load the principal transformer.

Table A.35. custom-realm Attributes

AttributeDescription

configuration

The optional key and value configuration for the custom realm.

class-name

Fully qualified class name of the custom realm.

module

Name of the module to use to load the custom realm.

Table A.36. custom-realm-mapper Attributes

AttributeDescription

configuration

The optional key and value configuration for the realm mapper.

class-name

Fully qualified class name of the realm mapper.

module

Name of the module to use to load the realm mapper.

Table A.37. custom-role-decoder Attributes

AttributeDescription

configuration

The optional key and value configuration for the role decoder.

class-name

Fully qualified class name of the role decoder.

module

Name of the module to use to load the role decoder.

Table A.38. custom-role-mapper Attributes

AttributeDescription

configuration

The optional key and value configuration for the role mapper.

class-name

Fully qualified class name of the role mapper.

module

Name of the module to use to load the role mapper.

Table A.39. dir-context Attributes

AttributeDescription

authentication-context

The authentication context to obtain login credentials to connect to the LDAP server. Can be omitted if authentication-level is none, which is equivalent to anonymous authentication.

authentication-level

The authentication level, meaning security level or authentication mechanism, to use. Corresponds to SECURITY_AUTHENTICATION or java.naming.security.authentication environment property. Allowed values are none, simple and sasl_mech format. The sasl_mech format is a space-separated list of SASL mechanism names.

connection-timeout

The timeout for connecting to the LDAP server in milliseconds.

credential-reference

The credential reference to authenticate and connect to the LDAP server. This can be omitted if authentication-level is none, which is equivalent to anonymous authentication.

enable-connection-pooling

If true connection pooling is enabled. This defaults to false.

module

Name of module that will be used as the class loading base.

principal

The principal to authenticate and connect to the LDAP server. This can be omitted if authentication-level is none which is equivalent to anonymous authentication.

properties

The additional connection properties for the DirContext.

read-timeout

The read timeout for an LDAP operation in milliseconds.

referral-mode

The mode used to determine if referrals should be followed. Allowed values are FOLLOW, IGNORE, and THROW. This defaults to IGNORE.

ssl-context

The name of the SSL context used to secure connection to the LDAP server.

url

The connection URL.

Table A.40. filesystem-realm Attributes

AttributeDescription

encoded

Whether the identity names should be stored encoded (Base32) in file names.

levels

The number of levels of directory hashing to apply. The default value is 2.

path

The path to the file containing the realm.

relative-to

The predefined relative path to use with path. For example jboss.server.config.dir.

Table A.41. filtering-key-store Attributes

AttributeDescription

alias-filter

A filter to apply to the aliases returned from the key-store. It can either be a comma-separated list of aliases to return or one of the following formats:

  • ALL:-alias1:-alias2
  • NONE:+alias1:+alias2
Note

The alias-filter attribute is case sensitive. Because the use of mixed-case or uppercase aliases, such as elytronAppServer, might not be recognized by some keystore providers, it is recommended to use lowercase aliases, such as elytronappserver.

key-store

Reference to the key-store to filter.

Table A.42. http-authentication-factory Attributes

AttributeDescription

http-server-mechanism-factory

The HttpServerAuthenticationMechanismFactory to associate with this resource.

mechanism-configurations

The list of mechanism-specific configurations.

security-domain

The security domain to associate with this resource.

Table A.43. http-authentication-factory mechanism-configurations Attributes

AttributeDescription

credential-security-factory

The security factory to use to obtain a credential as required by the mechanism.

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

host-name

The host name this configuration applies to.

mechanism-name

This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name.

mechanism-realm-configurations

The list of definitions of the realm names as understood by the mechanism.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

protocol

The protocol this configuration applies to.

realm-mapper

The realm mapper to be used by the mechanism.

Table A.44. http-authentication-factory mechanism-configurations mechanism-realm-configurations Attributes

AttributeDescription

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

realm-name

The name of the realm to be presented by the mechanism.

Table A.45. identity-realm Attributes

AttributeDescription

attribute-name

The name of the attribute associated with this identity.

attribute-values

The list of values associated with the identities attribute.

identity

The identity available from the security realm.

Table A.46. jdbc-realm Attributes

AttributeDescription

principal-query

The list of authentication queries used to authenticate users based on specific key types.

Table A.47. jdbc-realm principal-query Attributes

AttributeDescription

attribute-mapping

The list of attribute mappings defined for this resource.

bcrypt-mapper

A key mapper that maps a column returned from a SQL query to a Bcrypt key type.

clear-password-mapper

A key mapper that maps a column returned from a SQL query to a clear password key type. This has a password-index child element that is the column index from an authentication query that represents the user’s password.

data-source

The name of the datasource used to connect to the database.

salted-simple-digest-mapper

A key mapper that maps a column returned from a SQL query to a Salted Simple Digest key type.

scram-mapper

A key mapper that maps a column returned from a SQL query to a SCRAM key type.

simple-digest-mapper

A key mapper that maps a column returned from a SQL query to a Simple Digest key type.

sql

The SQL statement used to obtain the keys as table columns for a specific user and map them accordingly with their type.

Table A.48. jdbc-realm principal-query attribute-mapping Attributes

AttributeDescription

index

The column index from a query that representing the mapped attribute.

to

The name of the identity attribute mapped from a column returned from a SQL query.

Table A.49. jdbc-realm principal-query bcrypt-mapper Attributes

AttributeDescription

iteration-count-index

The column index from an authentication query that represents the password’s iteration count, if supported.

password-index

The column index from an authentication query that represents the user’s password.

salt-index

The column index from an authentication query that represents the password’s salt, if supported.

Table A.50. jdbc-realm principal-query salted-simple-digest-mapper Attributes

AttributeDescription

algorithm

The algorithm for a specific password key mapper. Allowed values are password-salt-digest-md5, password-salt-digest-sha-1, password-salt-digest-sha-256, password-salt-digest-sha-384, password-salt-digest-sha-512, salt-password-digest-md5, salt-password-digest-sha-1, salt-password-digest-sha-256, salt-password-digest-sha-384, and salt-password-digest-sha-512. The default is password-salt-digest-md5.

password-index

The column index from an authentication query that represents the user’s password.

salt-index

The column index from an authentication query that represents the password’s salt, if supported.

Table A.51. jdbc-realm principal-query simple-digest-mapper Attributes

AttributeDescription

algorithm

The algorithm for a specific password key mapper. Allowed values are simple-digest-md2, simple-digest-md5, simple-digest-sha-1, simple-digest-sha-256, simple-digest-sha-384, and simple-digest-sha-512. The default is simple-digest-md5.

password-index

The column index from an authentication query that represents the user’s password.

Table A.52. jdbc-realm principal-query scram-mapper Attributes

AttributeDescription

algorithm

The algorithm for a specific password key mapper. The allowed values are scram-sha-1 and scram-sha-256. The default value is scram-sha-256.

iteration-count-index

The column index from an authentication query that represents the password’s iteration count, if supported.

password-index

The column index from an authentication query that represents the user’s password.

salt-index

The column index from an authentication query that represents the password’s salt, if supported.

Table A.53. kerberos-security-factory Attributes

AttributeDescription

debug

If true the JAAS step of obtaining the credential will have debug logging enabled. Defaults to false.

mechanism-names

The mechanism names the credential should be usable with. Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute.

mechanism-oids

The list of mechanism OIDs the credential should be usable with.

minimum-remaining-lifetime

The amount of time in seconds a cached credential can have before it is recreated.

obtain-kerberos-ticket

Should the KerberosTicket also be obtained and associated with the credential. This is required to be true where credentials are delegated to the server.

options

The Krb5LoginModule additional options.

path

The path of the keytab to load to obtain the credential.

principal

The principal represented by the keytab.

relative-to

The relative path to the keytab.

request-lifetime

How much lifetime should be requested for newly created credentials.

required

Whether the keytab file with an adequate principal is required to exist at the time the service starts.

server

If true this factory is used for the server-side portion of Kerberos authentication. If false it is used for the client-side. Defaults to true

wrap-gss-credential

Whether generated GSS credentials should be wrapped to prevent improper disposal.

Table A.54. key-manager Attributes

AttributeDescription

algorithm

The name of the algorithm to use to create the underlying KeyManagerFactory. This is provided by the JDK. For example, a JDK that uses SunJSSE provides the PKIX and SunX509 algorithms. More details on SunJSSE can be found in the Java Secure Socket Extension (JSSE) Reference Guide.

alias-filter

A filter to apply to the aliases returned from the keystore. This can either be a comma-separated list of aliases to return or one of the following formats:

  • ALL:-alias1:-alias2
  • NONE:+alias1:+alias2

credential-reference

The credential reference to decrypt keystore item. This can be specified in clear text or as a reference to a credential stored in a credential-store. This is not a password of the keystore.

key-store

Reference to the key-store to use to initialize the underlying KeyManagerFactory.

provider-name

The name of the provider to use to create the underlying KeyManagerFactory.

providers

Reference to obtain the Provider[] to use when creating the underlying KeyManagerFactory.

Table A.55. key-store Attributes

AttributeDescription

alias-filter

A filter to apply to the aliases returned from the keystore, can either be a comma separated list of aliases to return or one of the following formats:

  • ALL:-alias1:-alias2
  • NONE:+alias1:+alias2
Note

The alias-filter attribute is case sensitive. Because the use of mixed-case or uppercase aliases, such as elytronAppServer, might not be recognized by some keystore providers, it is recommended to use lowercase aliases, such as elytronappserver.

credential-reference

The password to use to access the keystore. This can be specified in clear text or as a reference to a credential stored in a credential-store.

path

The path to the keystore file.

provider-name

The name of the provider to use to load the keystore. Setting this attribute disables searching for the first provider that can create a keystore of the specified type.

providers

A reference to the providers that should be used to obtain the list of provider instances to search. If not specified, the global list of providers will be used instead.

relative-to

The base path this store is relative to. This can be a full path or predefined path such as jboss.server.config.dir.

required

If true the keystore file referenced is required to exist at the time the keystore service starts. The default value is false.

type

The type of the keystore, for example, JKS. A full list of keystore types can be found in the Java Cryptography Architecture Standard Algorithm Name Documentation for JDK 8.

Table A.56. key-store-realm Attributes

AttributeDescription

key-store

Reference to the keystore used to back this security realm.

Table A.57. ldap-key-store Attributes

AttributeDescription

alias-attribute

The name of LDAP attribute where the item alias will be stored.

certificate-attribute

The name of LDAP attribute where the certificate will be stored.

certificate-chain-attribute

The name of LDAP attribute where the certificate chain will be stored.

certificate-chain-encoding

The encoding of the certificate chain.

certificate-type

The type of the certificate.

dir-context

The name of the dir-context which will be used to communication with LDAP server.

filter-alias

The LDAP filter for obtaining an item in the keystore by alias.

filter-certificate

The LDAP filter for obtaining an item in the keystore by certificate.

filter-iterate

The LDAP filter for iterating over all items of the keystore.

key-attribute

The name of LDAP attribute where the key will be stored.

key-type

The type of keystore that is stored in a serialized manner in the LDAP attribute. For example, JKS. A full list of keystore types can be found in the Java Cryptography Architecture Standard Algorithm Name Documentation for JDK 8.

new-item-template

Configuration for item creation. This defines how the LDAP entry of newly created keystore item will look.

search-path

The path in LDAP where the keystore items will be searched.

search-recursive

If the LDAP search should be recursive.

search-time-limit

The time limit in milliseconds for obtaining keystore items from LDAP. Defaults to 10000.

Table A.58. ldap-key-store new-item-template Attributes

AttributeDescription

new-item-attributes

The LDAP attributes which will be set for newly created items. This takes a list of items with name and value pairs.

new-item-path

The path in LDAP where the newly created keystore items will be stored.

new-item-rdn

The name of LDAP RDN for the newly created items.

Table A.59. ldap-realm Attributes

AttributeDescription

allow-blank-password

Whether this realm supports blank password direct verification. A blank password attempt will be rejected otherwise.

dir-context

The name of the dir-context which will be used to connect to the LDAP server.

direct-verification

If true this realm supports verification of credentials by directly connecting to LDAP as the account being authenticated; otherwise, the password is retrieved from the LDAP server and verified in JBoss EAP. If enabled, the JBoss EAP server must be able to obtain the plain user password from the client, which requires either the PLAIN SASL or BASIC HTTP mechanism be used for authentication. Defaults to false.

identity-mapping

The configuration options that define how principals are mapped to their corresponding entries in the underlying LDAP server.

Table A.60. ldap-realm identity-mapping Attributes

AttributeDescription

rdn-identifier

The RDN part of the principal’s DN to be used to obtain the principal’s name from an LDAP entry. This is also used when creating new identities.

use-recursive-search

If true identity search queries are recursive. Defaults to false.

search-base-dn

The base DN to search for identities.

attribute-mapping

List of attribute mappings defined for this resource.

filter-name

The LDAP filter for getting identity by name.

iterator-filter

The LDAP filter for iterating over identities of the realm.

new-identity-parent-dn

The DN of parent of newly created identities. Required for modifiability of the realm.

new-identity-attributes

The list of attributes of newly created identities and is required for modifiability of the realm. This is a list of name and value pair objects.

user-password-mapper

The credential mapping for a credential similar to userPassword.

otp-credential-mapper

The credential mapping for OTP credential.

x509-credential-mapper

The configuration allowing to use LDAP as storage of X509 credentials. If none of the -from child attributes are defined, then this configuration will be ignored. If more than one -from child attribute is defined, then the user certificate must match all the defined criteria.

Table A.61. ldap-realm identity-mapping attribute-mapping Attributes

AttributeDescription

extract-rdn

The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.

filter

The filter to use to obtain the values for a specific attribute.

filter-base-dn

The name of the context where the filter should be performed.

from

The name of the LDAP attribute to map to an identity attribute. If not defined, DN of entry is used.

reference

The name of LDAP attribute containing DN of entry to obtain value from.

role-recursion

Maximum depth for recursive role assignment. Use 0 to specify no recursion. Defaults to 0.

role-recursion-name

Determine the LDAP attribute of role entry which will be a substitute for "{0}" in filter-name when searching roles of role.

search-recursive

If true attribute LDAP search queries are recursive. Defaults to true.

to

The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in from. If the from is not defined too, value dn is used.

Table A.62. ldap-realm identity-mapping user-password-mapper Attributes

AttributeDescription

from

The name of the LDAP attribute to map to an identity attribute. If not defined, DN of entry is used.

verifiable

If true password can be used to verify the user. Defaults to true.

writable

If true password can be changed. Defaults to false.

Table A.63. ldap-realm identity-mapping otp-credential-mapper Attributes

AttributeDescription

algorithm-from

The name of the LDAP attribute of OTP algorithm.

hash-from

The name of the LDAP attribute of OTP hash function.

seed-from

The name of the LDAP attribute of OTP seed.

sequence-from

The name of the LDAP attribute of OTP sequence number.

Table A.64. ldap-realm identity-mapping x509-credential-mapper Attributes

AttributeDescription

certificate-from

The name of the LDAP attribute to map to an encoded user certificate. If not defined, encoded certificate will not be checked.

digest-algorithm

The digest algorithm, which is the hash function, used to compute digest of the user certificate. Will be used only if digest-from has been defined.

digest-from

The name of the LDAP attribute to map to a user certificate digest. If not defined, certificate digest will not be checked.

serial-number-from

The name of the LDAP attribute to map to a serial number of user certificate. If not defined, serial number will not be checked.

subject-dn-from

The name of the LDAP attribute to map to a subject DN of user certificate. If not defined, subject DN will not be checked.

Table A.65. logical-permission-mapper Attributes

AttributeDescription

left

Reference to the permission mapper to use to the left of the operation.

logical-operation

The logical operation to use to combine the permission mappers. Allowed values are and, or, xor, and unless.

right

Reference to the permission mapper to use to the right of the operation.

Table A.66. logical-role-mapper Attributes

AttributeDescription

left

Reference to a role mapper to be used on the left side of the operation.

logical-operation

The logical operation to be performed on the role mapper mappings. Allowed values are: and, minus, or, and xor.

right

Reference to a role mapper to be used on the right side of the operation.

Table A.67. mapped-regex-realm-mapper Attributes

AttributeDescription

delegate-realm-mapper

The realm mapper to delegate to if there is no match using the pattern.

pattern

The regular expression which must contain at least one capture group to extract the realm from the name.

realm-map

Mapping of realm name extracted using the regular expression to a defined realm name.

Table A.68. mechanism-provider-filtering-sasl-server-factory Attributes

AttributeDescription

enabling

If true no provider loaded mechanisms are enabled unless matched by one of the filters. This defaults to true.

filters

The list of filters to apply when comparing the mechanisms from the providers. A filter matches when all of the specified values match the mechanism and provider pair.

sasl-server-factory

Reference to a SASL server factory to be wrapped by this definition.

Table A.69. mechanism-provider-filtering-sasl-server-factory filters Attributes

AttributeDescription

mechanism-name

The name of the SASL mechanism this filter matches with.

provider-name

The name of the provider this filter matches.

provider-version

The version to use when comparing the provider’s version.

version-comparison

The equality to use when evaluating the Provider’s version. The allowed values are less-than and greater-than. The default value is less-than.

Table A.70. properties-realm Attributes

AttributeDescription

groups-attribute

The name of the attribute in the returned AuthorizationIdentity that should contain the group membership information for the identity.

groups-properties

The properties file containing the users and their groups.

users-properties

The properties file containing the users and their passwords.

Table A.71. properties-realm users-properties Attributes

AttributeDescription

digest-realm-name

The default realm name to use for digested passwords if one is not discovered in the properties file.

path

The path to the file containing the users and their passwords. The file should contain realm name declaration.

plain-text

If true the passwords in properties file stored in plain text. If false they are pre-hashed, taking the form of HEX( MD5( username \":\" realm \":\" password))). Defaults to false.

relative-to

The predefined path the path is relative to.

Table A.72. properties-realm groups-properties Attributes

AttributeDescription

path

The path to the file containing the users and their groups.

relative-to

The predefined path the path is relative to.

Table A.73. provider-http-server-mechanism-factory Attributes

AttributeDescription

providers

The providers to use to locate the factories. If not specified, the globally registered list of providers will be used.

Table A.74. provider-loader Attributes

AttributeDescription

argument

An argument to be passed into the constructor as the Provider is instantiated.

class-names

The list of the fully qualified class names of providers to load. These are loaded after the service-loader discovered providers, and any duplicates will be skipped.

configuration

The key and value configuration to be passed to the provider to initialize it.

module

The name of the module to load the provider from.

path

The path of the file to use to initialize the providers.

relative-to

The base path of the configuration file.

Table A.75. provider-sasl-server-factory Attributes

AttributeDescription

providers

The providers to use to locate the factories. If not specified, the globally registered list of providers will be used.

Table A.76. regex-principal-transformer Attributes

AttributeDescription

pattern

The regular expression to use to locate the portion of the name to be replaced.

replace-all

If true all occurrences of the pattern matched are replaced. If false only the first occurrence. is replaced. Defaults to false.

replacement

The value to be used as the replacement.

Table A.77. regex-validating-principal-transformer Attributes

AttributeDescription

match

If true the name must match the given pattern to make validation successful. If false the name must not match the given pattern to make validation successful. This defaults to true.

pattern

The regular expression to use for the principal transformer.

Table A.78. sasl-authentication-factory Attributes

AttributeDescription

mechanism-configurations

The list of mechanism specific configurations.

sasl-server-factory

The SASL server factory to associate with this resource.

security-domain

The security domain to associate with this resource.

Table A.79. sasl-authentication-factory mechanism-configurations Attributes

AttributeDescription

credential-security-factory

The security factory to use to obtain a credential as required by the mechanism.

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

host-name

The host name this configuration applies to.

mechanism-name

This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name.

mechanism-realm-configurations

The list of definitions of the realm names as understood by the mechanism.

protocol

The protocol this configuration applies to.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

Table A.80. sasl-authentication-factory mechanism-configurations mechanism-realm-configurations Attributes

AttributeDescription

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

realm-name

The name of the realm to be presented by the mechanism.

Table A.81. server-ssl-context Attributes

AttributeDescription

authentication-optional

If true rejecting of the client certificate by the security domain will not prevent the connection. This allows a fall through to use other authentication mechanisms, such as form login, when the client certificate is rejected by security domain. This has an effect only when the security domain is set. This defaults to false.

cipher-suite-filter

The filter to apply to specify the enabled cipher suites. This filter takes a list of items delimited by colons, commas, or spaces. Each item may be an OpenSSL-style cipher suite name, a standard SSL/TLS cipher suite name, or a keyword such as TLSv1.2 or DES. A full list of keywords as well as additional details on creating a filter can be found in the Javadoc for the CipherSuiteSelector class. The default value is DEFAULT, which corresponds to all known cipher suites that do not have NULL encryption and excludes any cipher suites that have no authentication.

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

key-manager

Reference to the key managers to use within the SSLContext.

maximum-session-cache-size

The maximum number of SSL/TLS sessions to be cached.

need-client-auth

If true a client certificate is required on SSL handshake. Connection without trusted client certificate will be rejected. This defaults to false.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

protocols

The enabled protocols. Allowed options are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. This defaults to enabling TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.

Warning

Red Hat recommends that SSLv2, SSLv3, and TLSv1.0 be explicitly disabled in favor of TLSv1.1 or TLSv1.2 in all affected packages.

provider-name

The name of the provider to use. If not specified, all providers from providers will be passed to the SSLContext.

providers

The name of the providers to obtain the Provider[] to use to load the SSLContext.

realm-mapper

The realm mapper to be used for SSL authentication.

security-domain

The security domain to use for authentication during SSL/TLS session establishment.

session-timeout

The timeout for SSL/TLS sessions.

trust-manager

Reference to the trust-manager to use within the SSLContext.

use-cipher-suites-order

If true the cipher suites order defined on the server will be used. If false the cipher suites order presented by the client will be used. Defaults to true.

want-client-auth

If true a client certificate will be requested, but not required, on SSL handshake. If a security domain is referenced and supports X509 evidence, this will be set to true automatically. This is ignored when need-client-auth is set. This defaults to false.

wrap

If true, the returned SSLEngine, SSLSocket, and SSLServerSocket instances will be wrapped to protect against further modification. This defaults to false.

Note

The realm mapper and principal transformer attributes for a server-ssl-context apply only for the SASL EXTERNAL mechanism, where the certificate is verified by the trust manager. HTTP CLIENT-CERT authentication settings are configured in an http-authentication-factory.

Table A.82. service-loader-http-server-mechanism-factory Attributes

AttributeDescription

module

The module to use to obtain the class loader to load the factories. If not specified the class loader to load the resource will be used instead.

Table A.83. service-loader-sasl-server-factory Attributes

AttributeDescription

module

The module to use to obtain the class loader to load the factories. If not specified the class loader to load the resource will be used instead.

Table A.84. simple-permission-mapper Attributes

AttributeDescription

mapping-mode

The mapping mode that should be used in the event of multiple matches. Allowed values are, and, or, xor, unless, and first. The default is first.

permission-mappings

The list of defined permission mappings.

Table A.85. simple-permission-mapper permission-mappings Attributes

AttributeDescription

permission-sets

The permission sets to assign in the event of a match. Permission sets can be used to assign permissions to an identity.

permission-sets can take the following attribute:

  • permission-set

    A reference to a permission set.

Important

The permissions attribute is deprecated, and is replaced by permission-sets.

principals

The list of principals to compare when mapping permissions, if the identities principal matches any one in the list it is a match.

roles

The list of roles to compare when mapping permissions, if the identity is a member of any one in the list it is a match.

Table A.86. permission-set permission Attributes

AttributeDescription

action

The action to pass to the permission as it is constructed.

class-name

The fully qualified class name of the permission.

module

The module to use to load the permission.

target-name

The target name to pass to the permission as it is constructed.

Table A.87. simple-regex-realm-mapper Attributes

AttributeDescription

delegate-realm-mapper

The realm mapper to delegate to if there is no match using the pattern.

pattern

The regular expression which must contain at least one capture group to extract the realm from the name.

Table A.88. simple-role-decoder Attributes

AttributeDescription

attribute

The name of the attribute from the identity to map directly to roles.

Table A.89. token-realm Attributes

AttributeDescription

jwt

A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard.

oauth2-introspection

A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validates them using an endpoint compliant with the RFC-7662 OAuth2 Token Introspection specification.

principal-claim

The name of the claim that should be used to obtain the principal’s name. The default is username.

Table A.90. token-realm jwt Attributes

AttributeDescription

audience

A list of strings representing the audiences supported by this configuration. During validation JWT tokens must have an aud claim that contains one of the values defined here.

certificate

The name of the certificate with a public key to load from the keystore.

issuer

A list of strings representing the issuers supported by this configuration. During validation JWT tokens must have an iss claim that contains one of the values defined here.

key-store

A keystore from where the certificate with a public key should be loaded from.

public-key

A public key in PEM Format. During validation, if a public key is provided, the signature will be verified based on the key you provided here.

Table A.91. token-realm oauth2-introspection Attributes

AttributeDescription

client-id

The identifier of the client on the OAuth2 Authorization Server.

client-secret

The secret of the client.

client-ssl-context

The SSL context to be used if the introspection endpoint is using HTTPS.

host-name-verification-policy

A policy that defines how host names should be verified when using HTTPS. The only allowed value is ANY.

introspection-url

The URL of token introspection endpoint.

Table A.92. trust-manager Attributes

AttributeDescription

algorithm

The name of the algorithm to use to create the underlying TrustManagerFactory. This is provided by the JDK. For example, a JDK that uses SunJSSE provides the PKIX and SunX509 algorithms. More details on SunJSSE can be found in the Java Secure Socket Extension (JSSE) Reference Guide.

alias-filter

A filter to apply to the aliases returned from the keystore. This can either be a comma-separated list of aliases to return or one of the following formats:

  • ALL:-alias1:-alias2
  • NONE:+alias1:+alias2

certificate-revocation-list

Enables the certificate revocation list that can be checked by a trust manager. The attributes of certificate-revocation-list are:

  • path - The path to the configuration file that is used to initialize the provider.
  • relative-to - The base path of the certificate revocation list file.
  • maximum-cert-path - The maximum number of non-self-issued intermediate certificates that can exist in a certification path. The default value is 5.

See Using a Certificate Revocation List for more information.

key-store

Reference to the key-store to use to initialize the underlying TrustManagerFactory.

provider-name

The name of the provider to use to create the underlying TrustManagerFactory.

providers

Reference to obtain the Provider[] to use when creating the underlying TrustManagerFactory.

Table A.93. x500-attribute-principal-decoder Attributes

AttributeDescription

attribute-name

The name of the X.500 attribute to map. This can also be defined using the oid attribute.

convert

When set to true, the principal decoder will attempt to convert a principal to a X500Principal, if it is not already of that type. If the conversion fails, the original value is used as the principal.

joiner

The joining string. The default value is a period (.).

maximum-segments

The maximum number of occurrences of the attribute to map. The default value is 2147483647.

oid

The OID of the X.500 attribute to map. This can also be defined using the attribute-name attribute.

required-attributes

The list of attribute names of the attributes that must be present in the principal

required-oids

The list of OIDs of the attributes that must be present in the principal.

reverse

If true the attribute values will be processed and returned in reverse order. The default value is false.

start-segment

The starting occurrence of the attribute you want to map. This uses a zero-based index and the default value is 0.

A.2. Configure Your Environment to use the BouncyCastle Provider

You can configure your JBoss EAP installation to use a BouncyCastle provider. The Bouncy Castle JARs are not provided by Red Hat, and must be obtained directly from Bouncy Castle.

Important

Java 8 must be used when the BouncyCastle providers are specified, as the BouncyCastle APIs are only certified up to Java 8.

  1. Include both BouncyCastle JARs, beginning with bc-fips and bctls-fips, on your JDK’s classpath. For Java 8 this is accomplished by placing the JAR files in $JAVA_HOME/lib/ext.

  2. Using either of the following methods, include the BouncyCastle providers in your Java security configuration file:

    • A default configuration file, java.security, is provided in your JDK, and can be updated to include the BouncyCastle providers. This file is used if no other security configuration files are specified. See the JDK vendor’s documentation for the location of this file.

    • Define a custom Java security configuration file and reference it by adding the -Djava.security.properties==/path/to/java.security.properties system property.

      When referenced using two equal signs the default policy is overwritten, and only the providers defined in the referenced file are used. When a single equal sign is used, as in -Djava.security.properties=/path/to/java.security.properties, then the providers are appended to the default security file, preferring to use the file passed in the argument when keys are specified in both files. This option is useful when having multiple JVMs running on the same host that require different security settings.

    An example configuration file that defines these providers is seen below.

    Example: BouncyCastle Security Policy

    # We can override the values in the JRE_HOME/lib/security/java.security
# file here.  If both properties files specify values for the same key, the
# value from the command-line properties file is selected, as it is the last
# one loaded.  We can reorder and change security providers in this file.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
security.provider.4=com.sun.crypto.provider.SunJCE

# This is a comma-separated list of algorithm and/or algorithm:provider
# entries.
#
securerandom.strongAlgorithms=DEFAULT:BCFIPS

    Important

    If the default configuration file is updated, then every other security.provider.X line in this file, for example security.provider.2, must increase its value of X to ensure that this provider is given priority. Each provider must have a unique priority.

  3. Configure the elytron subsystem to exclusively use the BouncyCastle providers. By default, the system is configured to use both the elytron and openssl providers. Because it also includes a TLS implementation, it is recommended to disable the OpenSSL provider to ensure the TLS implementation from Bouncy Castle is used. 

    /subsystem=elytron:write-attribute(name=final-providers,value=elytron)

  4. Reload the server for the changes to take effect. 

    reload

A.3. SASL Authentication Mechanisms Reference

A.3.1. Support Level for SASL Authentication Mechanisms

NameSupport LevelComments

ANONYMOUS

Supported

 

DIGEST-SHA-512

Technology Preview

Supported but name not currently IANA registered.

DIGEST-SHA-256

Technology Preview

Supported but name not currently IANA registered.

DIGEST-SHA

Technology Preview

Supported but name not currently IANA registered.

DIGEST-MD5

Supported

 

EXTERNAL

Supported

 

GS2-KRB5

Supported

 

GS2-KRB5-PLUS

Supported

 

GSSAPI

Supported

 

JBOSS-LOCAL-USER

Supported

Supported but name not currently IANA registered.

OAUTHBEARER

Supported

 

OTP

Not supported

 

PLAIN

Supported

 

SCRAM-SHA-1

Supported

 

SCRAM-SHA-1-PLUS

Supported

 

SCRAM-SHA-256

Supported

 

SCRAM-SHA-256-PLUS

Supported

 

SCRAM-SHA-384

Supported

 

SCRAM-SHA-384-PLUS

Supported

 

SCRAM-SHA-512

Supported

 

SCRAM-SHA-512-PLUS

Supported

 

9798-U-RSA-SHA1-ENC

Not supported

 

9798-M-RSA-SHA1-ENC

Not supported

 

9798-U-DSA-SHA1

Not supported

 

9798-M-DSA-SHA1

Not supported

 

9798-U-ECDSA-SHA1

Not supported

 

9798-M-ECDSA-SHA1

Not supported

 

A.3.2. SASL Authentication Mechanism Properties

You can see a list of standard Java SASL authentication mechanism properties in the Java documentation. Other JBoss EAP-specific SASL authentication mechanism properties are listed in the following tables.

Table A.94. SASL Properties Used During SASL Mechanism Negotiation or Authentication Exchange

PropertyClient / ServerDescription

com.sun.security.sasl.digest.realm

Server

Used by some SASL mechanisms, including the DIGEST-MD5 algorithm supplied with most Oracle JDKs, to provide the list of possible server realms to the mechanism. Each realm name must be separated by a space character (U+0020).

com.sun.security.sasl.digest.utf8

Client, server

Used by some SASL mechanisms, including the DIGEST-MD5 algorithm supplied with most Oracle JDKs, to indicate that information exchange should take place using UTF-8 character encoding instead of the default Latin-1/ISO-8859-1 encoding. The default value is true.

wildfly.sasl.authentication-timeout

Server

The amount of time, in seconds, after which a server should terminate an authentication attempt. The default value is 150 seconds.

wildfly.sasl.channel-binding-required

Client, server

Indicates that a mechanism which supports channel binding is required. A value of true indicates that channel binding is required. Any other value, or lack of this property, indicates that channel binding is not required.

wildfly.sasl.digest.alternative_protocols

Server

Supplies a separated list of alternative protocols that are acceptable in responses received from the client. The list can be space, comma, tab, or new line separated.

wildfly.sasl.gssapi.client.delegate-credential

Client

Specifies if the GSSAPI mechanism supports credential delegation. If set to true, the credential is delegated from the client to the server.

This property defaults to true if a GSSCredential is provided using the javax.security.sasl.credentials property. Otherwise, the default value is false.

wildfly.sasl.gs2.client.delegate-credential

Client

Specifies if the GS2 mechanism supports credential delegation. If set to true, the credential is delegated from the client to the server.

This property defaults to true if a GSSCredential is provided using a CredentialCallback. Otherwise, the default value is false.

wildfly.sasl.local-user.challenge-path

Server

Specifies the directory in which the server generates the challenge file. The default value is the java.io.tmpdir system property.

wildfly.sasl.local-user.default-user

Server

The user name to use for silent authentication.

wildfly.sasl.local-user.quiet-auth

Client

Enables silent authentication for a local user. The default value is true.

Note that the EJB client and naming client disables silent local authentication if this property is not explicitly defined and a callback handler or user name was specified in the client configuration.

wildfly.sasl.local-user.use-secure-random

Server

Specifies whether the server uses a secure random number generator when creating the challenge. The default value is true.

wildfly.sasl.mechanism-query-all

Client, server

Indicates that all possible supported mechanism names should be returned, regardless of the presence or absence of any other properties.

This property is only effective on calls to SaslServerFactory#getMechanismNames(Map) or SaslClientFactory#getMechanismNames(Map) for Elytron-provided SASL factories.

wildfly.sasl.otp.alternate-dictionary

Client

Provides an alternate dictionary to the OTP SASL mechanism. Each dictionary word must be separated by a space character (U+0020).

wildfly.sasl.relax-compliance

Server

The specifications for the SASL mechanisms mandate certain behavior and verification of that behavior at the opposite side of the connection. When interacting with other SASL mechanism implementations, some of these requirements are interpreted loosely. If this property is set to true, checking is relaxed where differences in specification interpretation has been identified. The default value is false.

wildfly.sasl.scram.min-iteration-count

Client, server

The minimum iteration count to use for SCRAM. The default value is 4096.

wildfly.sasl.scram.max-iteration-count

Client, server

The maximum iteration count to use for SCRAM. The default value is 32786.

wildfly.sasl.secure-rng

Client, server

The algorithm name of a SecureRandom implementation to use. Using this property can improve security, at the cost of performance.

wildfly.security.sasl.digest.ciphers

Client, server

Comma-separated list of supported ciphers that directly limits the set of supported ciphers for SASL mechanisms.

Table A.95. SASL Properties Used After Authentication

PropertyClient / ServerDescription

wildfly.sasl.principal

Client

Contains the negotiated client principal after a successful SASL client-side authentication.

wildfly.sasl.security-identity

Server

Contains the negotiated security identity after a successful SASL server-side authentication.

A.4. Security Authorization Arguments

Arguments to the security commands in JBoss EAP are determined by the defined mechanism. Each mechanism requires different properties, and it is recommended to use tab completion to examine the various requirements for the defined mechanism.

Table A.96. Universal Arguments

AttributeDescription

--mechanism

Specifies the mechanism to enable or disable. A list of supported SASL mechanisms is available at Support Level for SASL Authentication Mechanisms, and the BASIC, CLIENT_CERT, DIGEST, DIGEST-SHA-256, and FORM HTTP authentication mechanisms are currently supported.

--no-reload

If specified, then the server is not reloaded after the security command is completed.

Mechanism Specific Attributes

The following attributes are only eligible for specific mechanisms. They are grouped below based on their function.

Table A.97. key-store Realm

AttributeDescription

--key-store-name

The name of the truststore as an existing keystore. This must be specified if --key-store-realm-name is not used for the EXTERNAL SASL mechanism or the CLIENT_CERT HTTP mechanism.

--key-store-realm-name

The name of the truststore as an existing keystore realm. This must be specified if --key-store-name is not used for the EXTERNAL SASL mechanism or the CLIENT_CERT HTTP mechanism.

--roles

An optional argument that defines a comma separated list of roles associated with the current identity. If no existing role mapper contains the specified list of roles, then a role mapper will be generated and assigned.

Table A.98. file-system Realm

AttributeDescription

--exposed-realm

The realm exposed to the user.

--file-system-realm-name

The name of the filesystem realm.

--user-role-decoder

The name of the role decoder used to extract the roles from the user’s repository. This attribute is only used if --file-system-realm-name is specified.

Table A.99. Properties Realm

AttributeDescription

--exposed-realm

The realm exposed to the user. This value must match the realm-name defined in the user’s properties file.

--groups-properties-file

A path to the properties file that contains the groups attribute for management operations, or the roles for the undertow server.

--properties-realm-name

The name of an existing properties realm.

--relative-to

Adjusts the paths of --group-properties-file and --users-properties-file to be relative to a system property.

--users-properties-file

A path to the properties file that contains the user details.

Table A.100. Miscellaneous Properties

AttributeDescription

--management-interface

The management interface to configure for management authentication commands. This defaults to the http-interface.

--new-auth-factory-name

Used to specify a name for the authentication factory. If not defined, a name is automatically created.

--new-realm-name

Used to specify a name for the properties file realm resource. If not defined, a name is automatically created.

--new-security-domain

Used to specify a name for the security domain. If not defined, a name is automatically created.

--super-user

Configures a local user with super-user permissions. Usable with the JBOSS-LOCAL-USER mechanism.

A.5. Elytron Client Side One Way Example

After configuring a server SSL context, it is important to test the configuration if possible. An Elytron client SSL context can be placed in a configuration file and then executed from the management CLI, allowing functional testing of the server configuration. These steps assume that the server-side configuration is completed, and the server has been reloaded if necessary.

  1. If the server keystore already exists, then proceed to the next step; otherwise, create the server keystore. 

    $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

  2. If the server certificate has already been exported, then proceed to the next step; otherwise, export the server certificate. 

    $ keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer

  3. Import the server certificate into the client’s truststore. 

    $ keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

  4. Define the client-side SSL context inside of example-security.xml. This configuration file contains an Elytron authentication-client that defines the authentication and SSL configuration for outbound connections. The following file demonstrates defining a client SSL context and keystore. 

    <?xml version="1.0" encoding="UTF-8"?>

<configuration>
    <authentication-client xmlns="urn:elytron:client:1.2">
        <key-stores>
            <key-store name="clientStore" type="jks" >
                <file name="/path/to/client.truststore.jks"/>
                <key-store-clear-password password="secret" />
            </key-store>
        </key-stores>
        <ssl-contexts>
            <ssl-context name="client-SSL-context">
                <trust-store key-store-name="clientStore" />
            </ssl-context>
        </ssl-contexts>
        <ssl-context-rules>
            <rule use-ssl-context="client-SSL-context" />
        </ssl-context-rules>
    </authentication-client>
</configuration>

  5. Using the management CLI, reference the newly created file and attempt to access the server. The following command accesses the management interface and executes the whoami command. 

    $ EAP_HOME/bin/jboss-cli.sh -c --controller=remote+https://127.0.0.1:9993 -Dwildfly.config.url=/path/to/example-security.xml :whoami

A.6. Elytron Client Side Two Way Example

After configuring a server SSL context, it is important to test the configuration if possible. An Elytron client SSL context can be placed in a configuration file and then executed from the management CLI, allowing functional testing of the server configuration. These steps assume that the server-side configuration is completed, and the server has been reloaded if necessary.

  1. If the server and client keystores already exist, then proceed to the next step; otherwise, create the server and client keystores. 

    $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
$ keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret

  2. If the server and client certificates have already been exported, then proceed to the next step; otherwise, export the server and client certificates. 

    $ keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
$ keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer

  3. Import the server certificate into the client’s truststore. 

    $ keytool -importcert -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer

  4. Import the client certificate into the server’s truststore. 

    $ keytool -importcert -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer

  5. Define the client-side SSL context inside of example-security.xml. This configuration file contains an Elytron authentication-client that defines the authentication and SSL configuration for outbound connections. The following file demonstrates defining a client SSL context and keystore. 

    <?xml version="1.0" encoding="UTF-8"?>

<configuration>
    <authentication-client xmlns="urn:elytron:client:1.2">
        <key-stores>
            <key-store name="clientStore" type="jks" >
                <file name="/path/to/client.truststore.jks"/>
                <key-store-clear-password password="secret" />
            </key-store>
        </key-stores>
        <key-store name="clientKeyStore" type="jks" >
            <file name="/path/to/client.keystore.jks"/>
            <key-store-clear-password password="secret" />
        </key-store>
        <ssl-contexts>
            <ssl-context name="client-SSL-context">
                <trust-store key-store-name="clientStore" />
                <key-store-ssl-certificate key-store-name="clientKeyStore" alias="client">
                    <key-store-clear-password password="secret" />
                </key-store-ssl-certificate>
            </ssl-context>
        </ssl-contexts>
        <ssl-context-rules>
            <rule use-ssl-context="client-SSL-context" />
        </ssl-context-rules>
    </authentication-client>
</configuration>

  6. Using the management CLI, reference the newly created file and attempt to access the server. The following command accesses the management interface and executes the whoami command. 

    $ EAP_HOME/bin/jboss-cli.sh -c --controller=remote+https://127.0.0.1:9993 -Dwildfly.config.url=/path/to/example-security.xml :whoami





Revised on 2019-09-26 10:52:34 UTC