Security Configuration Changes for Java SE 17 Support in Red Hat JBoss EAP
Overview
Red Hat JBoss Enterprise Application Platform 7.4 Update 7 and later support Java SE 17; see [5]. However, not all of EAP 7.4's functionality is supported on Java 17, including some functionality that is present in EAP's out-of-the-box configuration files. In this article we'll discuss what features are not supported on Java 17 and provide information on how to configure EAP to use alternative features.
Elytron Security, Legacy Security and the java.security.acl Package
Java 17 is largely API compatible with the Java 8 and Java 11 versions that EAP 7.4 also supports. However, one significant incompatible API change was the removal of the java.security.acl package. The 'legacy' security layer used since EAP 6 makes heavy use of the java.security.acl package, and therefore will not work on a Java 17 runtime.
However, since EAP 7.1, the appserver has supported and recommends the use of an alternative security layer based on the Elytron project. The Elytron security layer does not use the java.security.acl package and will work fine on a Java 17 JVM.
The legacy security layer is deprecated in EAP 7 and will not be present in EAP 8.
Required Configuration Changes
The standard out-of-the-box configurations files in the EAP 7.4 distribution configure the legacy security layer. So to run on Java 17 those configurations, or customized configurations that use legacy security, will need to be modified.
- The legacy core security realms are not supported on Java 17 on servers or host controllers not running in
admin-onlymode. These are thesecurity-realmelements found under the 'management' element in a standalone.xml or host.xml file, administered via the CLI at/core-service=management/security-realm=*addresses. The security realm resources provided by the Elytron subsystem should be used instead. - Use of the Picketbox-based security vault is not supported. on Java 17. Elytron credential stores[1] should be used instead.
- The
org.jboss.as.securityextension and thesecuritysubsystem it provides are no longer supported on servers not running inadmin-onlymode. The extension and subsystem can still be used on an EAP 7.4 Domain Controller running on Java 17 to allow it to manage hosts running on Java 8 or Java 11. - The
org.wildlfy.extension.picketlinkextension and thepicketlink-federationandpicketlink-idmsubsystems it provides are not supported on Java 17 on servers not running inadmin-onlymode. They can still be used on an EAP 7.4 Domain Controller running on Java 17 to allow it to manage hosts running on Java 8 or Java 11. Integration with RH-SSO should be used instead of these extensions.
Note that the reason use of the legacy security and picketlink extensions is allowed on an 'admin-only' server is only to allow a server with a configuration using those to boot so an administrator can then use the CLI to alter the server configuration to use Elytron.
Converting from a legacy security configuration to a pure Elytron one can be quite straightforward if your security configuration matches the standard configuration files that come with EAP 7.4, or it may be complex if your security configuration is highly customized. The Migrating to Elytron chapter in the EAP 7.4 Migration Guide[2] provides information on how to migrate a security configuration to Elytron. The Security Architecture guide[3] and the How to Configure Server Security guide[4] also provide useful information.
Example CLI Script
Beginning with the EAP 7.4 Update 5, and EAP installation will include a $JBOSS_HOME/docs/examples/enable-elytron-se17.cli CLI script. This illustrates possible CLI commands to move from a legacy security based configuration to one based solely on Elytron security.
Standalone Mode
To use the script, after backing up your configuration directory, open a terminal in the $JBOSS_HOME directory and run the CLI as follows:
bin/jboss-cli.sh --file=docs/examples/enable-elytron-se17.cli
That command will update the $JBOSS_HOME/standalone/configuration/standalone.xml configuration. To modify a different configuration, set the config system property to specify the name of the desired configuration file. (The file must be located in the configuration directory.)
bin/jboss-cli.sh --file=docs/examples/enable-elytron-se17.cli -Dconfig=standalone-full.xml
Domain Mode
Similarly to standalone mode, there is an example domain mode script in EAP 7.4 Update 8+
To use the script, after backing up your configuration directory, open a terminal in the $JBOSS_HOME directory and run the CLI as follows:
bin/jboss-cli.sh --file=docs/examples/enable-elytron-se17-domain.cli
Note that this is not a migration script for all security configuration. The purpose of this script is not to perform complex configuration migrations; rather it is meant to illustrate the basic changes and can be used to convert the out-of-the-box standalone configuration files in the $JBOSS_HOME/standalone/configuration directory. However, if you have modified your legacy security configuration from EAP's standard out-of-the-box settings, you may need to perform further modifications in order to get a configuration with equivalent functionality. For more information on this, see the Migrating to Elytron chapter in the EAP 7.4 Migration Guide[2]
If the management interfaces were secured with LDAP using Legacy Management Authentication, follow [6] to configure LDAP with Elytron
If the CLI commands fails with following error, follow article 7004585
The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error): WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed: Step: step-2
[1] <https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html/how_to_configure_server_security/con-secure-storage-for-credentials_default>
[2] <https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html/migration_guide/migrating_to_elytron>
[3] <https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html/security_architecture/index>
[4] <https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html/how_to_configure_server_security/index>
[5] <https://access.redhat.com/articles/6961884>
[6] <https://access.redhat.com/solutions/6603181>