WildFly Security Concepts: Difference between revisions
Line 28: | Line 28: | ||
=Relationship between a Security Realm and a Security Domain= | =Relationship between a Security Realm and a Security Domain= | ||
<font color=red>TODO: apparently the "other" security domain delegates to ApplicationRealm. Verify and document.</font> | |||
=Subordinated Host Controller Identity= | =Subordinated Host Controller Identity= |
Revision as of 05:32, 7 March 2016
Internal
Relevance
- EAP 6.4 August 2015
Security Realms
The Security Subsystem
Relationship between a Security Realm and a Security Domain
TODO: apparently the "other" security domain delegates to ApplicationRealm. Verify and document.
Subordinated Host Controller Identity
Subordinated host controllers must authenticate against the domain controller's Management Realm in order to be able to interact with it. The host controller identity is associated to a domain controller's Management Realm user whose name is identical with the host controller's host name (the <host name="..."> element in the host controller's host.xml.
From the domain controller's perspective, the host controller identity is established by adding a regular Management Realm user. This is done with the add-user.sh utility, as described here:
Server Identity Secret
A Management Realm user authenticates with a regular password, so the host controllers will also have to use the same mechanism - password - to authenticate. The password is is known as server identity secret on the host controller, and it is specified in its host.xml:
<host name="..." ...> <management> <security-realms> <security-realm name="ManagementRealm"> ... <server-identities> <secret value="bjFfMTIz"/> </server-identities> </security-realm> ... </host>
The secret maintained in the <server-identities> section of host.xml is the hashed value of the domain controller Management Realm user's password. Given the password value, the secret value can be calculated as follows:
echo -n "myPassword" | openssl enc -base64
Otherwise, the secret's value is displayed during the process of adding the user to the Management Realm on the domain controller. The value displayed by add-user.sh is identical with the one calculated with openssl. They can be used interchangeably.