Bug 1569958

Summary: [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ricardo Martin <rmartinc>
Component: SecurityAssignee: Radovan STANCEL <rstancel>
Status: CLOSED CURRENTRELEASE QA Contact: Peter Mackay <pmackay>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.19CC: anmiller, bdawidow, bmaxwell, darran.lofthouse, dcihak, hokuda, jdatta, jolee, pjindal, pmackay, pskopek, rajveer.singh, rstancel, vvasilev
Target Milestone: CR1   
Target Release: EAP 6.4.21   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:44:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1567126    
Bug Blocks: 1567790, 1570200, 1570837    

Description Ricardo Martin 2018-04-20 11:28:10 UTC 
Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more


Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.


How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd


Additional info:

The info seems to be produced by a change in openjdk. See:

https://bugzilla.redhat.com/show_bug.cgi?id=1567126
Comment 1 Ricardo Martin 2018-04-20 11:32:51 UTC 
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.
Comment 13 rajveer singh shakya 2019-11-21 05:52:18 UTC 
If jboss EAP 7.0.0 is having any issue with start or ldap configuration add dependency <module name="sun.jdk"/> to below file
/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/org/picketbox/main/module.xml

After apply Patch (jboss-eap-7.0.9-patch.zip) if jboss EAP server did not come up then add dependency <module name="sun.jdk"/> in below file


/opt/jbossas/jboss-eap-7.0/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.0.9.CP/org/picketbox/main/module.xml

The above solution I have tested at my end and its working fine.

Please let me know if any other solution is also available fo jboss EAP 7.0

Thanks,
Rajveer Singh Shakya