3:45 p.m.
[
https://issues.jboss.org/browse/WFCORE-3458?page=com.atlassian.jira.plugi...
]
Ilia Vassilev edited comment on WFCORE-3458 at 12/21/17 4:44 PM:
-----------------------------------------------------------------
In Elytron subsystem, remove the requirement: "if location is not set in CLI, default
credential-store name is used as location"
When location is not set for most common filebased keystore types (JKS, JCEKS and PKCS12),
Elytron will throw exception.
was (Author: ivassile):
In Elytron subsystem, remove the requirement: "if location is not set in CLI, default
credential-store name is used as location"
When location is not set for most common filebased keystore types (JKS,
JCEKS and PKCS12), Elytron will throw exception.
External CS, PKCS11 can't be configured with externalPath
----------------------------------------------------------
Key: WFCORE-3458
URL: https://issues.jboss.org/browse/WFCORE-3458
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 4.0.0.Alpha4
Reporter: Ilia Vassilev
Assignee: Ilia Vassilev
Priority: Critical
To specify external secret file location externalPath is intended. However in case of
PKCS11 it can't be achieved.
{code}
10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001:
Failed to start service org.wildfly.security.credential-store.fips-credential-store:
org.jboss.msc.service.StartException in service
org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start
the service.
at
org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514:
Unable to initialize credential store
at
org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954)
at
org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828)
at
org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214)
at
org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
at
org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
... 5 more
Caused by: java.nio.file.NoSuchFileException:
/home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.Files.newByteChannel(Files.java:361)
at java.nio.file.Files.newByteChannel(Files.java:407)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
at java.nio.file.Files.newInputStream(Files.java:152)
at
org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943)
... 9 more
10:53:03,409 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address:
([
("subsystem" => "elytron"),
("credential-store" => "fips-credential-store")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.security.credential-store.fips-credential-store" =>
"WFLYELY00004: Unable to start the service.
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514:
Unable to initialize credential store
Caused by: java.nio.file.NoSuchFileException:
/home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}
{code}
Problem seems to be in method
{code:java|title=KeyStoreCredentialStore.java}
private void setupExternalStorage(final String keyContainingKeyStoreType, final Path
keyContainingKeyStoreLocation) throws CredentialStoreException {
KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType);
keyStore = getKeyStoreInstance("JCEKS");
externalStorage = new ExternalStorage();
try {
final char[] storePassword = getStorePassword(protectionParameter);
if (keyContainingKeyStoreLocation != null) {
try (InputStream is =
Files.newInputStream(keyContainingKeyStoreLocation)) {
keyContainingKeyStore.load(is, storePassword);
}
} else {
// keystore without file (e.g. PKCS11)
synchronized (EmptyProvider.getInstance()) {
keyContainingKeyStore.load(null, storePassword);
}
}
externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias,
keyContainingKeyStore, storePassword, keyStore);
} catch(IOException | GeneralSecurityException e) {
throw log.cannotInitializeCredentialStore(e);
}
}
{code}
Although location is not specified in CLI command keyContainingKeyStoreLocation is not
null. Because once location is not specified it becomes name of CS, in this case
fips-credential-store (This default is in elytron subsystem).
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2581
days inactive
2581
days old
0 comments
1 participants
participants (1)
-
Ilia Vassilev (JIRA)