[JBoss JIRA] (ISPN-5059) JGroups subsystem doesn't support Vault

Tuesday, 9 December 2014

    [
https://issues.jboss.org/browse/ISPN-5059?page=com.atlassian.jira.plugin....
] 

Bela Ban commented on ISPN-5059:
--------------------------------

If Infinispan replaces the value of {{store_password}} with the correct contents, then
we're fine. However, if it passes that variable unchanged to JGroups, we get an
incorrect value. I'm not aware of Infinispan doing variable substitution for JGroups
XML files (perhaps JDG does that?)...
Tristan ?

...
 JGroups subsystem doesn't support Vault
 ---------------------------------------

                 Key: ISPN-5059
                 URL: https://issues.jboss.org/browse/ISPN-5059
             Project: Infinispan
          Issue Type: Bug
          Components: Security, Server
            Reporter: Vojtech Juranek

 JGroups subsystem doesn't support passwords encrypted in Vault. E.g. when running
[EncryptProtocolIT|https://github.com/infinispan/infinispan/blob/master/se...]
with following configuration:
 {noformat}
 <protocol type="ENCRYPT">
                     <property
name="key_store_name">${jboss.server.config.dir}/server_jceks.keystore</property>
                     <property
name="store_password">${VAULT::keystore::password::1}</property>
                     <property name="alias">memcached</property>
                 </protocol>
 {noformat}
 i.e. it uses Vault-encrypted password for keystore, it fails with:
 {noformat}
 groups.channel.clustered: java.lang.Exception: Unable to load keystore
infinispan/server/integration/testsuite/target/server/node2/standalone/configuration/server_jceks.keystore:
java.io.IOException: Keystore was tampered with, or password was incorrect
         at
org.jboss.as.clustering.jgroups.subsystem.ChannelService.start(ChannelService.java:74)
         at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
         at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_55]
         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_55]
         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
 Caused by: java.lang.Exception: Unable to load keystore
infinispan/server/integration/testsuite/target/server/node2/standalone/configuration/server_jceks.keystore:
java.io.IOException: Keystore was tampered with, or password was incorrect
         at org.jgroups.protocols.ENCRYPT.initConfiguredKey(ENCRYPT.java:309)
         at org.jgroups.protocols.ENCRYPT.init(ENCRYPT.java:250)
         at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:860)
         at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:481)
         at org.jgroups.JChannel.init(JChannel.java:848)
         at org.jgroups.JChannel.<init>(JChannel.java:159)
         at
org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:87)
         at
org.jboss.as.clustering.jgroups.subsystem.ChannelService.start(ChannelService.java:69)
 {noformat}
 Vault record for {{keystore::password}} exists:
 {noformat}
 Task: Verify whether a secured attribute exists
 Enter Vault Block:keystore
 Enter Attribute Name:password
 A value exists for (keystore, password)
 {noformat} 

--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009