[keycloak-user] Issue in Migrating standalone.xml with Vault Configuration on Linux

Deepti Tyagi Deepti.Tyagi at halliburton.com
Tue Dec 18 06:24:25 EST 2018 

Hi Team,

I am trying to migrate standalone.xml (from v3.0 to v4.6) that is having vault configurations enabled, using command (./jboss-cli.sh --file=migrate-standalone.cli) on Linux.
But it always throw the exception as highlighted though same works fine on Windows.

Is it a known issue? Any workaround?

04:36:53,835 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("core-service" => "management"),
    ("security-realm" => "MySSLRealm")
]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0227: Security exception accessing the vault
        at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:190)
        at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115)
        at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:65)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:341)
        at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:246)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:143)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
        at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:873)
        at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1278)
        at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:603)
        at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:667)
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:626)
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:600)
        at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addKeyManagerService(SecurityRealmAddHandler.java:688)
        at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addSSLServices(SecurityRealmAddHandler.java:611)
        at org.jboss.as.domain.management.security.SecurityRealmAddHandler.installServices(SecurityRealmAddHandler.java:237)
        at org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler.execute(SecurityRealmAddHandler.java:917)
        at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
        at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
        at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
        at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411)
        at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)
        at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:470)
        at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:432)
        at org.jboss.as.server.ServerService.boot(ServerService.java:427)
        at org.jboss.as.server.ServerService.boot(ServerService.java:386)
        at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.security.vault.SecurityVaultException: javax.crypto.BadPaddingException: Given final block not properly padded
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
        at org.jboss.as.server.services.security.VaultReaderImpl.getValue(RuntimeVaultReader.java:223)
        at org.jboss.as.server.services.security.VaultReaderImpl.retrieveFromVault(RuntimeVaultReader.java:176)
        ... 28 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:975)
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:833)
        at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
        at javax.crypto.Cipher.doFinal(Cipher.java:2165)
        at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)
        ... 30 more

04:36:53,855 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
04:36:53,865 INFO  [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 4.6.0.Final (WildFly Core 6.0.2.Final) stopped in 15ms
Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: JBTHR00005: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.

Below is the sample vault configurations in standalone.xml (Keycloak v3.0.0)
<system-properties>
<property name="javax.net.ssl.trustStore" value="/d0/certs/cert.keystore"/>
</system-properties>
<vault>
<vault-option name="KEYSTORE_URL" value="/d0/certs/cert.jceks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-0Thq/RjbpgdvR0aONX4KnP"/>
<vault-option name="KEYSTORE_ALIAS" value="cert"/>
<vault-option name="SALT" value="asdf3421"/>
<vault-option name="ITERATION_COUNT" value="44"/>
<vault-option name="ENC_FILE_DIR" value="/d0/certs"/>
</vault>

<management>
<security-realms>
         <security-realm name="MySSLRealm">
<server-identities>
<ssl>
<keystore alias="cert" keystore-password="${VAULT::DS::cert::1}" path="/d0/certs/cert.keystore"/>
</ssl>
</server-identities>
</security-realm>
...
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<https-listener max-post-size="1048576000" name="default" security-realm="MySSLRealm" socket-binding="https"/>
...

Thanks,
Deepti

----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.

More information about the keycloak-user mailing list