Bug 1076507 - [GSS] (6.2.x) Usage of vault for system-properties throws java.lang.SecurityException
Summary: [GSS] (6.2.x) Usage of vault for system-properties throws java.lang.SecurityE...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Server
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR2
: EAP 6.2.3
Assignee: Chao Wang
QA Contact:
Lucas Costi
URL:
Whiteboard:
Depends On: JBPAPP6-1735
Blocks: eap62-cp03-blockers
TreeView+ depends on / blocked
 
Reported: 2014-03-14 13:25 UTC by Chris Dolphy
Modified: 2018-12-09 17:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 could fail to start if a system property was used that contained a vault expression in its value attribute. This was because the system property resources in the XML configuration were processed before the security vault resources. This meant that the security vault was not available as a source for resolving expressions. Any resources using a vault attribute would result in the following error: ---- java.lang.SecurityException: JBAS013322: Vault is not initialized ---- In this release, if a system property value expression fails to resolve, a second attempt is made later in the boot process at a point after the vault (if one is configured) is installed. This resolves the issue and systems using vault expressions now boot as expected.
Clone Of:
Environment:
Last Closed: 2014-06-09 12:46:31 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-1904 0 Major Closed Usage of vault for system-properties throws java.lang.SecurityException 2018-09-19 16:42:05 UTC

Description Chris Dolphy 2014-03-14 13:25:35 UTC
Description of problem:
Setting system properties using vault gies error (Vault is not initialized).

Version-Release number of selected component (if applicable):
EAP 6.2.0

How reproducible:
Follow steps.

Steps to Reproduce:
1. Create vault and store a attribute.
2. Add the lines in standalone.xml (values may be different based on step #2):-

{code}
    <system-properties>
      <property name="javax.net.ssl.trustStore" value="/dir/truststore.jks"/>
      <property name="javax.net.ssl.trustStorePassword" value="${VAULT::blk::attr::MTBlYWUzNDEtMjI2MC00NWYzLWFiZmUtM2EyYjZkNDgyZWM4TElORV9CUkVBS215YWxpYXM=}" />
    </system-properties>
    <vault>
        <vault-option name="KEYSTORE_URL" value="/opt/jboss-eap-6.0/standalone/configuration/vault.jks"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-2gTQPnrWJaqrh0pURMKAOw"/>
        <vault-option name="KEYSTORE_ALIAS" value="myalias"/>
        <vault-option name="SALT" value="12345678"/>
        <vault-option name="ITERATION_COUNT" value="44"/>
        <vault-option name="ENC_FILE_DIR" value="/opt/jboss-eap-6.0/standalone/configuration/"/>
    </vault>
{code}

3. start EAP6 in standalone mode

Actual results:

Usage of vault for system-properties throws java.lang.SecurityException.

boot.log:-
{code}
20:35:30,267 ERROR [org.jboss.as.controller.management-operation] JBAS014612: Operation ("add") failed - address: ([("system-property" => "javax.net.ssl.trustStorePassword")]): java.lang.SecurityException: JBAS013322: Vault is not initialized
	at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:98) [jboss-as-security-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
	at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
	at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.1.2.Final-redhat-1.jar:7.1.2.Final-redhat-1]
{code}

Expected results:
System property is set using vault.

Comment 2 Ondrej Lukas 2014-05-07 06:08:11 UTC
Verified in EAP 6.2.3.CR2.


Note You need to log in before you can comment on or make changes to this bug.