[jboss-jira] [JBoss JIRA] (WFLY-6495) Wildfly SSL Setup Fails on HSM-Backed Keystore

Darran Lofthouse (JIRA) issues at jboss.org
Tue Apr 5 13:55:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFLY-6495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse reassigned WFLY-6495:
--------------------------------------

    Assignee: Darran Lofthouse  (was: Brian Stansberry)


> Wildfly SSL Setup Fails on HSM-Backed Keystore
> ----------------------------------------------
>
>                 Key: WFLY-6495
>                 URL: https://issues.jboss.org/browse/WFLY-6495
>             Project: WildFly
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 8.2.1.Final, 9.0.2.Final, 10.1.0.Final
>         Environment: Any host environment with an HSM for key management
>            Reporter: Gregory Ramsperger
>            Assignee: Darran Lofthouse
>
> Using a keystore type that does not allow or returns empty from getEncoded() on private keys causes a KeyStoreException at startup. This is common in HSM-backed key operations. 
> Storing SSL keys and certs in an HSM is a common method of securing keys and offloading SSL overhead.
> FileKeyStore.java copies a KeyStore.Entry value into a JKS KeyStore but JKS and PKCS12 KeyStore implementations maintain a copy of the encoded PKCS#8 data for private keys. When applying a KeyStore.Entry from a source that does not return the data for security reasons, the import fails.
> While it's still not guaranteed to work with all KeyStore providers, switching {{KeyStore.getInstance("JKS")}} to {{KeyStore.getInstance(provider)}} fixes the issue for SafeNet "Luna" and SunPKCS11 "PKCS11" KeyStore implementations while not breaking the "PKCS12" and "JKS" cases.
> See [https://github.com/wildfly/wildfly-core/blob/master/domain-management/src/main/java/org/jboss/as/domain/management/security/FileKeystore.java#L126]
> Log output:
> {noformat}
> 2016-04-04 18:53:51,100 i-4b6f79d1 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.test.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.test.key-manager: JBAS015229: Unable to start service
> 	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:148)
> 	at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
> 	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
> Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
> 	at sun.security.provider.KeyProtector.protect(KeyProtector.java:174) [rt.jar:1.8.0_60]
> 	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267) [rt.jar:1.8.0_60]
> 	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) [rt.jar:1.8.0_60]
> 	at java.security.KeyStoreSpi.engineSetEntry(KeyStoreSpi.java:537) [rt.jar:1.8.0_60]
> 	at sun.security.provider.KeyStoreDelegator.engineSetEntry(KeyStoreDelegator.java:179) [rt.jar:1.8.0_60]
> 	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetEntry(JavaKeyStore.java:70) [rt.jar:1.8.0_60]
> 	at java.security.KeyStore.setEntry(KeyStore.java:1557) [rt.jar:1.8.0_60]
> 	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:136)
> 	... 6 more
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list