[jboss-jira] [JBoss JIRA] (WFCORE-1466) Wildfly SSL Setup Fails on HSM-Backed Keystore
[
https://issues.jboss.org/browse/WFCORE-1466?page=com.atlassian.jira.plugi...
]
Gregory Ramsperger commented on WFCORE-1466:
--------------------------------------------
There is a server-wide config file for Luna connections, but the actual KeyStore loaded is
a file containing either "tokenlabel:partition_name" or "slot:1"
In our configuration, the KeyStore file is created as:
{code}
echo -n tokenlabel:ssl > hsm-ssl.lunaKeystore
{code}
And the normal KeyStore loading from FIleInputStream works with the partition/slot
password.
The system-wide config is just pointing at the HSM host, supplying a client cert, etc.
The partition has multiple keys in it, so aliases are necessary.
Wildfly SSL Setup Fails on HSM-Backed Keystore
----------------------------------------------
Key: WFCORE-1466
URL: https://issues.jboss.org/browse/WFCORE-1466
Project: WildFly Core
Issue Type: Bug
Components: Domain Management, Security
Environment: Any host environment with an HSM for key management
Reporter: Gregory Ramsperger
Assignee: Darran Lofthouse
Using a keystore type that does not allow or returns empty from getEncoded() on private
keys causes a KeyStoreException at startup. This is common in HSM-backed key operations.
Storing SSL keys and certs in an HSM is a common method of securing keys and offloading
SSL overhead.
FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12
KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When
applying a KeyStore.Entry from a source that does not return the data for security
reasons, the import fails.
While it's still not guaranteed to work with all KeyStore providers, switching
{{KeyStore.getInstance("JKS")}} to {{KeyStore.getInstance(provider)}} fixes the
issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore
implementations while not breaking the "PKCS12" and "JKS" cases.
See
[https://github.com/wildfly/wildfly-core/blob/master/domain-management/src...]
Log output:
{noformat}
2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread
1-3) MSC000001: Failed to start service
jboss.server.controller.management.security_realm.test.key-manager:
org.jboss.msc.service.StartException in service
jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to
start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
at
org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_60]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_60]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267)
[rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
[rt.jar:1.8.0_60]
at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179)
[rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70)
[rt.jar:1.8.0_60]
at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
... 6 more
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)