Issue Identified:
Custom Users/Roles not created in RHPAM 7.12.1/EAP 7.4.1.
Sample of invalid user.xml:
<?xml version="1.0" ?> <identity xmlns="urn:elytron:1.0"> <attributes> <name="roles" value="kie-server"></attribute> <attribute name="roles" value="rest-all"></attribute> <attribute name="roles" value="admin"></attribute> <attribute name="roles" value="kiemgmt"></attribute> <attribute name="roles" value="Administrators"></attribute> <attribute name="roles" value="user"></attribute> </attributes></identity>$
Error in logs:
23:35:20,692 ERROR [org.jboss.as.controller.management-operation] (CLI command executor) WFLYCTL0013: Operation (“set-password”) failed – address: ( (“subsystem” => “elytron”), (“filesystem-realm” => “ApplicationRealm”) ) – failure description: “WFLYCTL0216: Management resource ‘[
(\”subsystem\” => \”elytron\”),
(\”filesystem-realm\” => \”ApplicationRealm\”)
]’ not found”
The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error):
WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
Step: step-11
Operation: /subsystem=elytron/filesystem-realm=ApplicationRealm:set-password(identity=pamAdmin, clear={password=’testAdmin’})
Failure: WFLYCTL0216: Management resource ‘ (“subsystem” => “elytron”), (“filesystem-realm” => “ApplicationRealm”) ‘ not found
Warning in logs:
23:36:18,734 WARN [org.jboss.modules.define] (ServerService Thread Pool -- 86) Failed to define class org.jboss.resteasy.microprofile.config.ServletConfigSourceImpl in Module "org.jboss.resteasy.resteasy-jaxrs" version 3.15.1.Final-redhat-00001 from local module loader @21edd891 (finder: local module finder @de579ff (roots: /opt/eap/modules,/opt/eap/modules/system/layers/openshift,/opt/eap/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.4.1.CP,/opt/eap/modules/system/layers/base,/opt/eap/modules/system/add-ons/keycloak)): java.lang.NoClassDefFoundError: Failed to link org/jboss/resteasy/microprofile/config/ServletConfigSourceImpl (Module "org.jboss.resteasy.resteasy-jaxrs" version 3.15.1.Final-redhat-00001 from local module loader @21edd891 (finder: local module finder @de579ff (roots: /opt/eap/modules,/opt/eap/modules/system/layers/openshift,/opt/eap/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.4.1.CP,/opt/eap/modules/system/layers/base,/opt/eap/modules/system/add-ons/keycloak))): org/eclipse/microprofile/config/spi/ConfigSource at java.base/java.lang.ClassLoader.defineClass1(Native Method)
Other errors if an invalid user/roles properties file is provided:
sh-4.4$ /opt/eap/bin/elytron-tool.sh filesystem-realm --users-file /home/jboss/custom/application-users.properties --roles-file /home/jboss/custom/application-roles.properties --output-location /opt/eap/standalone/configuration/kie-fs-realm-users --filesystem-realm-name kie-fs-realmusers --debug WARNING: No roles were found for user WARNING: Roles were found for user , but user was not defined. WARNING: No roles were found for user Exception encountered executing the command: java.lang.IndexOutOfBoundsException at java.base/java.lang.Character.offsetByCodePoints(Character.java:8699) WARNING: No password was found for user WARNING: No roles were found for user WARNING: No roles were found for user Exception encountered executing the command: java.lang.IndexOutOfBoundsException
Solution
The following steps will help resolve the above issues:
- Patch RHPAM 7.12.1 with EAP 7.4.4
STEP 1/5: FROM registry.redhat.io/rhpam-7/rhpam-kieserver-rhel8:7.12.1-3 STEP 2/5: COPY jboss-eap-7.4.4-patch.zip /tmp/jboss-eap-7.4.4-patch.zip --> Using cache f9926b6ad308871c77bf3f1e650104f1c64f249b487613e4181d8e1e9ca9cd07 --> f9926b6ad30 STEP 3/5: USER root --> Using cache 15639841591027c9db7a4056ea69b51252d72dac6a2704528533d5b0ce03496f --> 15639841591 STEP 4/5: RUN $JBOSS_HOME/bin/jboss-cli.sh --command="patch apply /tmp/jboss-eap-7.4.4-patch.zip --override-modules" ; rm /tmp/jboss-eap-7.4.4-patch.zip { "outcome" : "success", "result" : {} } STEP 5/5: USER 185 COMMIT image-registry.openshift-image-registry.svc:5000/op2/rhpam-kieserver-rhel8-custom:7.12.1-test --> 85398f6feb7 Successfully tagged image-registry.openshift-image-registry.svc:5000/op2/rhpam-kieserver-rhel8-custom:7.12.1-test 85398f6feb78e1485f53a2ee154d20d33b2b7457a13325cfc9a928c7a7592ce3
- Validate EAP version
[jboss@4c610ade4e51 eap]$ ls JBossEULA.txt LICENSE.txt appclient bin docs domain jboss-modules.jar jolokia.jar migration modules standalone version.txt welcome-content [jboss@4c610ade4e51 eap]$ more version.txt Red Hat JBoss Enterprise Application Platform - Version 7.4.4.GA
- Update the custom application-users.properties and application-roles.properties file to include Realm name:
Sample application-users.properties:


- Command to update custom users/roles file through elytron-tool.sh
echo "START - enable-users" /opt/eap/bin/elytron-tool.sh filesystem-realm --users-file /home/jboss/custom/application-users.properties --roles-file /home/jboss/custom/application-roles.properties --output-location /opt/kie/data/kie-fs-realm-users find /opt/kie/data/kie-fs-realm-users -name *.xml -exec sed -i 's/<attribute name="roles"/<attribute name="role"/g' {} \; echo "END - enable-users"
- Expected user.xml generated in output-location (/opt/kie/data/kie-fs-realm-users):
<?xml version="1.0" ?> <identity xmlns="urn:elytron:1.0"> <credentials> <password algorithm="digest-md5" format="base64">Ag9pbnRlZ3JhdGlvblVzZXIQQXBwbGljYXRpb25SZWFsbSjAetOv+11Kg3GFrzK+r98</password> </credentials> <attributes> <attribute name="role" value="kie-server"></attribute> <attribute name="role" value="rest-all"></attribute> <attribute name="role" value="admin"></attribute> <attribute name="role" value="kiemgmt"></attribute> <attribute name="role" value="Administrators"></attribute> <attribute name="role" value="user"></attribute> </attributes></identity>sh-4.4$
Root Cause
RHPAM 7.12.1 paired with EAP 7.4.1 does not create a valid XML file for kie-fs-realm users/roles. Reference RedHat support case – https://access.redhat.com/support/cases/#/case/03197932