[jboss-jira] [JBoss JIRA] (WFLY-6495) Wildfly SSL Setup Fails on HSM-Backed Keystore
Gregory Ramsperger (JIRA)
issues at jboss.org
Tue Apr 5 12:17:00 EDT 2016
Gregory Ramsperger created WFLY-6495:
----------------------------------------
Summary: Wildfly SSL Setup Fails on HSM-Backed Keystore
Key: WFLY-6495
URL: https://issues.jboss.org/browse/WFLY-6495
Project: WildFly
Issue Type: Bug
Components: Domain Management
Affects Versions: 9.0.2.Final, 8.2.1.Final, 10.1.0.Final
Environment: Any host environment with an HSM for key management
Reporter: Gregory Ramsperger
Assignee: Brian Stansberry
Using a keystore type that does not allow or returns empty from getEncoded() on private keys causes a KeyStoreException at startup. This is common in HSM-backed key operations.
Storing SSL keys and certs in an HSM is a common method of securing keys and offloading SSL overhead.
FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12 KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When applying a KeyStore.Entry from a source that does not return the data for security reasons, the import fails.
While it's still not guaranteed to work with all KeyStore providers, switching {{KeyStore.getInstance("JKS")}} to {{KeyStore.getInstance(provider)}} fixes the issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore implementations while not breaking the "PKCS12" and "JKS" cases.
See [https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L126]
Log output:
{noformat}
2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.test.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267) [rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) [rt.jar:1.8.0_60]
at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179) [rt.jar:1.8.0_60]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70) [rt.jar:1.8.0_60]
at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
... 6 more
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list