Can I close mail-smtp port on Wildfly? - wildfly

I want to close mail-smtp port.
<socket-binding-group name="standard-sockets"
default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<!--<outbound-socket-binding name="mail-smtp">-->
<!--<remote-destination host="localhost" port="25"/>-->
<!--</outbound-socket-binding>-->
</socket-binding-group>
Can I disable mail subsystem if I will not use mail?
<subsystem xmlns="urn:jboss:domain:mail:2.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>

If you should remove mail service, subsystem can be removed
Remove extension: <extension module="org.jboss.as.mail"/>
Remove the complete subsystem mail:
<subsystem xmlns="urn:jboss:domain:mail:2.0">
<mail-session name="default" jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
Remove outbound-socket-binding mail-smtp
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
You can also use CLI to remove the subsystem:
/subsystem=mail:remove
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=mail-smtp:remove
/extension=org.jboss.as.mail:remove
:reload

Related

Expose JBOSS Webservices only via CA Authentication

I'm currently trying to fix in issue in our JBOSS Deployment with different SOAP Endpoints, we trying to close the Webservice Interface over https(port 8443) to only allow it via CA Authentication (port 8444).
We are Using JBOSS 7.4.7 and JDK 11
Here are the JBOSS Standalone Configurations:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="https" port="8443"/>
<socket-binding name="httpsca" port="8444"/>
</socket-binding-group>
[...]
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener name="https" socket-binding="https" max-post-size="0" secure="true" ssl-context="ssl"/>
<https-listener name="httpsca" socket-binding="httpsca" max-post-size="0" secure="true" ssl-context="sslca"/>
</server>
[...]
<subsystem xmlns="urn:jboss:domain:webservices:2.0" statistics-enabled="${wildfly.webservices.statistics-enabled:${wildfly.statistics-enabled:false}}">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<wsdl-port>8444</wsdl-port>
<wsdl-secure-port>8444</wsdl-secure-port>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config"/>
<client-config name="Standard-Client-Config"/>
</subsystem>
<tls>
<key-stores>
<key-store name="test">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_keystore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="test-trusted">
<credential-reference clear-text="****"/>
<implementation type="JKS"/>
<file path="ssl_truststore.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="serverssl" key-store="test">
<credential-reference clear-text="****"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="serverssl-ca" key-store="test-trusted"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="test-ssl" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" key-manager="serverssl"/>
<server-ssl-context name="test-sslca" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" need-client-auth="true" key-manager="serverssl" trust-manager="serverssl-ca"/>
</server-ssl-contexts>
</tls>
We are having trouble setting only one Port for the WSDL Endpoint.
1. If I don't set <wsdl-secure-port>, then the JBOSS throws an error because it trys to create a http endpoint which is not active at all.It also occurs if I only set the <wsdl-secure-port> and not the <wsdl-port>.
Are we doing something wrong or is that a bug from JBOSS ?
Thanks for any help and tips in advice.

JBoss HTTPS connection dies after a while

I have a JBoss 7.2 app server and I start the server, I am able to connect to both the http and https ports but after a while running the server, I am not able to connect to the https port anymore but the http port still works so the server is still running. I tail the logs when I try to connect to the https port but nothing shows up and when I do a netstat on the https port, the port is still listening. Has anyone had this type of issue before?
JBoss Standalone.xml configuration
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="${jboss.home.dir}/standalone/configuration/XXXXX.keystore" keystore-password="XXXXXXXXX" alias="1"/>
</ssl>
</server-identities>
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enabled-protocols="TLSv1.1,TLSv1.2" enable-http2="true" ssl-session-cache-size="500" ssl-session-timeout="1800"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log pattern="%h %l %u %t %r %s %b %{i,Referer} %{i,User-Agent} %S %T %{i,X-Forwarded-For}" prefix="access_log_"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>

JBoss EAP is up and running but isn't accessible through web browser

I am running a deployed application on localhost and accessing it from browser but not able to access it on browser though 8080 is listening.
Sometime it is showing "Refused to connect" or "Webpages not found"
This is my standalone.xml
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:0.0.0.0}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="messaging" port="5445"/>
<socket-binding name="messaging-group" port="0" multicast-address="${jboss.messaging.group.address:231.7.7.7}" multicast-port="${jboss.messaging.group.port:9876}"/>
<socket-binding name="messaging-throughput" port="5455"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
<outbound-socket-binding name="remote-ejb-connection1">
<remote-destination host="localhost" port="4689"/>
</outbound-socket-binding>
</socket-binding-group>
<deployments>
<deployment name="ace-ear-1.0.11-SNAPSHOT.ear" runtime-name="ace-ear-1.0.11-SNAPSHOT.ear">
<content sha1="213bc2a0282e8488d75711d9c49fbdb2c607e84b"/>
</deployment>
<deployment name="ace-admin-ear-1.0.11-SNAPSHOT-LOCAL.ear" runtime-name="ace-admin-ear-1.0.11-SNAPSHOT-LOCAL.ear">
<content sha1="d609bf2cc5284b06229579c64eed2570ebc3b7ca"/>
</deployment>
</deployments>
As you have mentioned sometimes you were getting "Refused to connect" or "Webpages not found", can you clarify is it working most of the times and sometimes you were getting this error or every time?
Can you check in your server log 8080 port is listening on your configured IP? for eg:
INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener http listening on 127.0.0.1:8080

wildfly/eap domain mode remoting ldap authentification

i have a problem with Wildlfy 10/11/12. I sucessfully set wf in domain mode with http management, using complete AD authentification. I can not set remoting port 4447 for use AD auth. I tested it with local mgmt-users.properties and mgmt-groups.properties and everything worked fine.
Now I'm testing this:
1) Ldap works for http://127.0.0.1:9990/console/ (me user have all ad groups)
2) Ldap works with jconsole service:jmx:remote+http://127.0.0.1:9990 (Domain Controller)
3) Not working AD auth, with local mgmt-users everything works fine:
service:jmx:remote+http://127.0.0.1:4447
service:jmx:remote://127.0.0.1:4447
Why i need this? I need to monitor datasource stats from each server. Monitoring over HC does not give me these datas. This config uses 2 ldaps: one for http management and another for testing remoting port (RemotingRealm). Can you please help me to set use both ldaps?
I used this howto for Enable remoting in Domain mode:
https://kb.novaordis.com/index.php/JMX_Access_to_Domain_Mode_EAP_7_Server_Node
Coplete domain and host files:
https://tomashermanek.cz/download/domain.xml
https://tomashermanek.cz/download/host.xml
domain.xml
...
<management>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<group name="_wildfly_adm"/>
</include>
</role>
<role name="Administrator">
<include>
<group name="_wildfly_adm"/>
</include>
</role>
<role name="Auditor">
<include>
<group name="_wildfly_audit"/>
</include>
</role>
<role name="Deployer">
<include>
<group name="_wildfly_deploy"/>
</include>
</role>
<role name="Maintainer">
<include>
<group name="_wildfly_maintain"/>
</include>
</role>
<role name="Monitor">
<include>
<group name="_wildfly_monit"/>
</include>
</role>
<role name="Operator">
<include>
<group name="_wildfly_ops"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
...
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector use-management-endpoint="false"/>
<sensitivity non-core-mbeans="true"/>
</subsystem>
<subsystem xmlns
...
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
...
<socket-binding-groups>
<socket-binding-group name="ha-sockets" default-interface="public">
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
<socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
<socket-binding name="modcluster" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="remoting" port="4447"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
host.xml
...
<security-realm name="LdapRealm">
<authentication>
<ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap">
<group-search group-dn-attribute="cn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
<membership-filter principal-attribute="member"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realm>
<security-realm name="RemotingRealm">
<authentication>
<ldap connection="ldap" base-dn="DC=example,DC=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="ldap">
<group-search group-dn-attribute="cn" group-name-attribute="cn">
<group-to-principal search-by="DISTINGUISHED_NAME" base-dn="OU=Groups,OU=Corp-Restricted,DC=example,DC=internal">
<membership-filter principal-attribute="member"/>
</group-to-principal>
</group-search>
</ldap>
</authorization>
</security-realms>
<outbound-connections>
<ldap name="ldap" url="ldap://ldap.server.one">
<properties>
<property name="java.naming.security.principal" value="search_user"/>
<property name="java.naming.security.credentials" value="password" />
<property name="java.naming.security.authentication" value="simple" />
</properties>
</ldap>
</outbound-connections>
...
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket interface="management" port="${jboss.management.native.port:9999}"/>
</native-interface>
<http-interface security-realm="LdapRealm">
<http-upgrade enabled="true"/>
<socket interface="management" port="${jboss.management.http.port:9990}"/>
</http-interface>
</management-interfaces>
LOG From server dev-001
2018-04-06 15:26:16,598 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = tomas.hermanek
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,598 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,621 TRACE [org.wildfly.security] (default task-1) Principal assigning: [tomas.hermanek], pre-realm rewritten: [tomas.hermanek#RemotingRealm], realm name: [PLAIN], post-realm rewritten: [tomas.hermanek#RemotingRealm], realm rewritten: [tomas.hermanek#RemotingRealm]
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Non caching search for 'tomas.hermanek'
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Performing recursive search
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Searching for user 'tomas.hermanek' using filter '(sAMAccountName={0})'.
2018-04-06 15:26:16,621 TRACE [org.jboss.as.domain.management.security] (default task-1) Connecting to LDAP with properties ({java.naming.provider.url=ldap://10.1.31.10, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=ignore})
2018-04-06 15:26:16,641 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05013: Authentication mechanism password not verified
at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:127)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:745)
2018-04-06 15:26:16,641 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection
If LdapRealm an RemotingRealm are the same. And this does not work even when you replace RemotingRealm for LdapRealm, then this seems as bug.

Integration Test with Arquillian doesn´t working on JBoss EAP 6 Remote on Linux

When I try to execute integration test with arquillian and jboss eap 6 remote on linux, now return
the:org.jboss.arquillian.container.spi.client.container.DeploymentException: Could not deploy to container: Authentication failed: all available authentication mechanisms failed
On windows work very fine as localhost as other machine.
This is my configuration:
file arquillian.xml
<defaultProtocol type="Servlet 3.0" />
<container qualifier="jboss7" default="true">
<configuration>
<property name="managementAddress">127.0.0.1</property>
<property name="managementPort">9999</property>
<property name="username">deploy</property>
<property name="password">xxxx</property>
</configuration>
</container>
pom.xm:
<profile>
<id>test-int</id>
<dependencies>
<dependency>
<groupId>org.jboss.arquillian.junit</groupId>
<artifactId>arquillian-junit-container</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jboss.as</groupId>
<artifactId>jboss-as-arquillian-container-remote</artifactId>
<version>7.1.2.Final</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jboss.arquillian.protocol</groupId>
<artifactId>arquillian-protocol-servlet</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</profile>
standalone.xml = jboss eap 6.0
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:0.0.0.0}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
<!-- TODO - only show this if the jacorb subsystem is added -->
<interface name="unsecure">
<!--
~ Used for IIOP sockets in the standard configuration.
~ To secure JacORB you need to setup SSL
-->
<inet-address value="${jboss.bind.address.unsecure:0.0.0.0}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="osgi-http" interface="management" port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Anyone can help me ?
Try to add a management user in your remote instance, in your case:
user deploy/