Bug 1045113

Summary: RTGov authutentication does not work
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Jiri Pechanec <jpechane>
Component: InstallerAssignee: Thomas Hauser <thauser>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Pechanec <jpechane>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: atangrin, jpechane, jsedlace, kconner, soa-p-jira
Target Milestone: CR1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
ER8
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Install script none

Description Jiri Pechanec 2013-12-19 15:59:42 UTC 
RTGov gadgets throws and exception
16:55:55,165 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/gadget-web].[makeRequest]] (http-/127.0.0.1:8080-5) JBWEB000236: Servlet.service() for servlet makeRequest threw exception: java.lang.RuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.createSAMLBearerTokenAssertion(SAMLBearerTokenAuthenticationProvider.java:88) [classes:]
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.provideAuthentication(SAMLBearerTokenAuthenticationProvider.java:72) [classes:]
	at org.overlord.gadgets.web.server.http.AuthenticatingHttpFetcher.fetch(AuthenticatingHttpFetcher.java:97) [classes:]
	at org.apache.shindig.gadgets.http.DefaultRequestPipeline.execute(DefaultRequestPipeline.java:108) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestHandler.fetch(MakeRequestHandler.java:150) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestServlet.doGet(MakeRequestServlet.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.gadgets.servlet.MakeRequestServlet.doPost(MakeRequestServlet.java:68) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.gadgets.servlet.ETagFilter.doFilter(ETagFilter.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.auth.AuthenticationServletFilter.callChain(AuthenticationServletFilter.java:151) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.shindig.auth.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:96) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.shindig.common.servlet.HostFilter.doFilter(HostFilter.java:39) [shindig-common-3.0.0-beta4.jar:3.0.0-beta4]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:499) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) [rt.jar:1.7.0_25]
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.7.0_25]
	at java.security.KeyStore.load(KeyStore.java:1214) [rt.jar:1.7.0_25]
	at org.overlord.commons.auth.jboss7.SAMLBearerTokenUtil.loadKeystore(SAMLBearerTokenUtil.java:156) [overlord-commons-auth-1.1.0-redhat-5.jar:1.1.0-redhat-5]
	at org.overlord.gadgets.web.server.http.auth.SAMLBearerTokenAuthenticationProvider.createSAMLBearerTokenAssertion(SAMLBearerTokenAuthenticationProvider.java:84) [classes:]
	... 34 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) [rt.jar:1.7.0_25]
	... 38 more

The problem seems to be present if dtgov is not installed
Comment 1 kconner 2013-12-19 16:37:44 UTC 
Saw this in the installer window

"Connected to Management Interface.
Vault installation failed.
Running on-fail server check."
Comment 2 kconner 2013-12-19 17:00:10 UTC 
Ignore last comment, I may have had another server running in the background. Retesting now.
Comment 3 kconner 2013-12-19 17:06:07 UTC 
This appears to work with the current ER8 installer, can you please retest?  If it fails can you add details of your environment (OS etc) and include the installer log?
Comment 4 Thomas Hauser 2013-12-19 17:07:14 UTC 
I am not able to reproduce this when installing only RTGov Server. Please supply an auto-xml that can be used to reproduce the exact installation conditions, thanks.
Comment 5 Jiri Pechanec 2013-12-20 07:42:14 UTC 
Created attachment 839427 [details]
Install script

Reproduced with every install - see attached script.

Have you had any gadget present?
Comment 6 Jiri Pechanec 2013-12-20 07:47:28 UTC 
This might be the root cause
jpechane@jpechane:~/releases/er8/rtgov2/jboss-eap-6.1$ grep password standalone/configuration/gadget-server.properties 
gadget-server.db.password=
gadget-server.config.auth.saml.keystore-password=
gadget-server.config.auth.saml.key-password=
gadget-server.rest-proxy.service-overview.authentication.saml.keystore-password=
gadget-server.rest-proxy.service-overview.authentication.saml.key-password=

The passwords are not empty when dtgov is installed.
Comment 7 Thomas Hauser 2013-12-20 17:12:58 UTC 
I see the issue in the ER8 installer. Fixed for CR1.
Comment 8 Thomas Hauser 2013-12-20 17:27:50 UTC 
By the way, the root cause is that the job in the installer that modifies the password properties in gadget-server.properties had an erroneous reliance upon SRAMP being installed.
Comment 9 Jiri Pechanec 2014-01-15 09:09:24 UTC 
Verified in CR1