Unable to remote connect to JMX Console

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (JBoss EAP)
- 7.2.0

Issue

We are trying to connect to JMX port from JMC for monitoring purposes. The remote+https port is secured using elytron which connects to LDAP. We are getting the following error when connecting to the port from the client:

  [org.jboss.remoting.remote.server] (default task-2) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05012: Authentication mechanism server-side authentication failed [Caused by org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [uid=userId,ou=People,dc=example,dc=com] and absolute DN [null]]
  at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:121)
  at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
  at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
  at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
  at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
  at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
  at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
  ...
  at java.lang.Thread.run(Thread.java:748)
  Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01153: Direct LDAP verification failed with DN [uid=userId,ou=People,dc=example,dc=com] and absolute DN [null]
  at org.wildfly.security.auth.realm.ldap.DirectEvidenceVerifier$1.verifyEvidence(DirectEvidenceVerifier.java:104)
  at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:609)
  at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
  at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
  at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
  ...
  at org.wildfly.security.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:117)
  ... 12 more
  Caused by: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 6.0.11.Final-redhat-00001 from local module loader @7f560810 (finder: local module finder @69d9c55 (roots: /opt/appserver/EAP/jboss-eap-7.2/modules,/opt/appserver/EAP/jboss-eap-7.2/modules/system/layers/base))]]
  at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
   at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
  at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
  at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2699)
  ...
  ... 21 more
  Caused by: java.lang.ClassNotFoundException: org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory from [Module "org.wildfly.extension.io" version 6.0.11.Final-redhat-00001 from local module loader @7f560810 (finder: local module finder @69d9c55 (roots: /opt/appserver/EAP/jboss-eap-7.2/modules,/opt/appserver/EAP/jboss-eap-7.2/modules/system/layers/base))]
  at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
  at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
  at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
  at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
  at java.lang.Class.forName0(Native Method)
  ...
  ... 29 more

LDAPS referrals not working with an Elytron LDAP realm

Resolution

This issue has already been reported on Content from issues.jboss.org is not included.ELY-1634. This is fixed in the upstream community project, but it is not included in the JBoss EAP product. The fix is expected to be included in JBoss EAP 7.2.3. Please refer to JBoss EAP 7 Maintenance Schedule for expected release dates.

Root Cause

LDAP classes try to load the class org.wildfly.security.auth.realm.ldap.ThreadLocalSSLSocketFactory using the TCCL which is the org.wildfly.extension.io module loader. This will not work as ThreadLocalSSLSocketFactor is in the module org.wildfy.security.elytron-private.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.