Bug 1049865
| Summary: | Error adding a SSL server-identity with VAULT to ManagementRealm | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | oarribas <oarribas> | ||||
| Component: | Security | Assignee: | Anil Saldhana <anil.saldhana> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Josef Cacek <jcacek> | ||||
| Severity: | unspecified | Docs Contact: | Russell Dickenson <rdickens> | ||||
| Priority: | unspecified | ||||||
| Version: | 6.2.0 | CC: | fbogyai, oarribas | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-07-23 11:01:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 847083 [details]
Clean server.log
The correct procedure for using vault in EAP 6.1.1+ is described in comment 2, so closing this issue as not a bug. This issue has not been reproduced and it is reported against a version which is no longer maintained, which means that it will not receive a fix. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Enterprise Application Platform please feel free to open a bug against that version. The vault implementation changes in EAP 6.1.1: https://access.redhat.com/site/solutions/485623 To use a keystore for securing the ManagementRealm you need a jks keystore, but the VAULT for EAP 6.1.1+ needs a jceks keystore. You need to create a jceks keystore for the vault, and a jks keystore for the Management console. After that, you can run the vault to mask the jks keystore password. STEP -1) Create a keystore of JKS type using the similar command as follows : keytool -genkey -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore /usr/local/de/jboss\-eap\-6.0/jboss\-eap\-6.2/standalone/configuration/certificados/folder_A/identity.jks -storepass password1 -dname "CN=cn,OU=ou,O=o,L=l,ST=st,C=C" -validity 365 -v Note : The above keytsore (identity.jks) is used for securing management console and will not be used for vault. STEP -2) Configure the above created keystore in your configuration file : =============================================================================== <server-identities> <ssl> <keystore path="/certificados/folder_A/identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1"/> </ssl> </server-identities> =============================================================================== Note : currently I am showing the password just to make you understand the scenario. I will later mask this password using vault. STEP -3) Create an another keystore and this will be going to be used by vault. keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -keypass password2 -keystore /usr/local/de/jboss\-eap\-6.0/jboss\-eap\-6.2/standalone/configuration/certificados/folder_B/vault.jceks -storepass password2 -dname "CN=cn,OU=ou,O=o,L=l,ST=st,C=c" -validity 365 -v Note : I have changed the path from folder_A to folder_B and name from identity.jks to vault.jceks. And this keystore will be used by vault.sh script. STEP -4) Run the vault.sh script using ; ./vault.sh -k /usr/local/de/jboss\-eap\-6.0/jboss\-eap\-6.2/standalone/configuration/certificados/folder_B/vault.jceks -p password2 -v vault -x password1 -a password_console -b block_console -i 50 -s 12345678 -e /usr/local/de/jboss\-eap\-6.0/jboss\-eap\-6.2/standalone/configuration/certificados/folder_B Note : "-p" is password of the keystore used i.e. "password2" and "-x" is the password or any string that you want to mask i.e. "password1" in our case because this is the string that is used as password in our configuration file (see step-2) and we want to mask this. STEP -5) And now vault will generate the "VAULT::block_console::password_console::1" as a masked string and you can use this now in your configuration file instead of "password1". : =============================================================================== <server-identities> <ssl> <keystore path="/certificados/folder_A/identity.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::block_console::password_console::1}"/> </ssl> </server-identities> =============================================================================== |
Description of problem: When I add a VAULT and a SSL server-identity to the ManagementRealm, and I restart (or reload) EAP, the following error appears in the log, and EAP not starts: 12:26:48,151 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014612: Operation ("add") failed - address: ([ ("core-service" => "management"), ("security-realm" => "ManagementRealm") ]): java.lang.SecurityException: JBAS013311: Security Exception at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:104) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionType(ExpressionResolverImpl.java:115) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:40) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:588) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:796) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:298) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:362) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:321) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:295) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addFileKeystoreService(SecurityRealmAddHandler.java:544) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.domain.management.security.SecurityRealmAddHandler.addSSLService(SecurityRealmAddHandler.java:508) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.domain.management.security.SecurityRealmAddHandler.installServices(SecurityRealmAddHandler.java:184) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler.execute(SecurityRealmAddHandler.java:657) [jboss-as-domain-management-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:607) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:485) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:282) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:277) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:288) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:291) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.server.ServerService.boot(ServerService.java:349) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.server.ServerService.boot(ServerService.java:324) [jboss-as-server-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:253) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_19] Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:279) [picketbox-4.0.19.SP2-redhat-1.jar:4.0.19.SP2-redhat-1] at org.jboss.as.security.vault.RuntimeVaultReader.getValue(RuntimeVaultReader.java:129) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.security.vault.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:112) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:102) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] ... 24 more Caused by: java.lang.IllegalArgumentException: Null input buffer at javax.crypto.Cipher.doFinal(Cipher.java:1918) [jce.jar:1.7.0_19] at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134) [picketbox-4.0.19.SP2-redhat-1.jar:4.0.19.SP2-redhat-1] at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:275) [picketbox-4.0.19.SP2-redhat-1.jar:4.0.19.SP2-redhat-1] ... 27 more Steps to Reproduce: 1. Create a certificate and a VAULT and add the VAULT config to the standalone.xml (like https://access.redhat.com/site/solutions/361273 but not apply the final example). 2. Configure the EAP 6 management console for access over HTTPS (like https://access.redhat.com/site/solutions/229963 but use the VAULT password in the "keystore-password"). CLI commands: /core-service=management/security-realm=ManagementRealm/server-identity=ssl:add(keystore-path=<path_to_the_keystore>,keystore-password=<VAULT_password>) /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https) /core-service=management/management-interface=http-interface:undefine-attribute(name=socket-binding) 3. Reload o start EAP. Additional info: This works fine in EAP 6.0.0 Changes in the standalone.xml: ... </extensions> <vault> <vault-option name="KEYSTORE_URL" value="/path/to/the/certificate/certificate.name"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/> <vault-option name="KEYSTORE_ALIAS" value="pruebas"/> <vault-option name="SALT" value="12345678"/> <vault-option name="ITERATION_COUNT" value="23"/> <vault-option name="ENC_FILE_DIR" value="/path/to/the/certificate/"/> </vault> <management> <security-realms> <security-realm name="ManagementRealm"> <server-identities> <ssl> <keystore path="/path/to/the/certificate/certificate.name" keystore-password="${VAULT::example_block::password_name::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}"/> </ssl> </server-identities> ... ... </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding https="management-https"/> </http-interface> </management-interfaces> </management> ...