Before EAP version 6.4.0.DR10 if keystore format for vault was JKS it was automatically converted to JCEKS. Now during the vault initialization this exception is thrown: PBOX000137: Security Vault does not contain SecretKey entry under alias (jboss) although the alias for keystore is right. Steps to Reproduce: 1. Create keystore: keytool -genkey -alias jboss -keyalg RSA -keysize 1024 -keystore server.keystore -storepass testpass -dname 'cn=JBoss Security,ou=JBoss Division,o=RedHatInc,l=Raleigh,st=NC,c=US' -keypass testpass 2. Execute vault.sh: ./vault.sh -k ${EAP_HOME}/server.keystore -p testpass -e ${EAP_HOME} -i 50 -s 12345678 -v jboss -b block -a attribute -x sec_pass Actual results: PBOX000137: Security Vault does not contain SecretKey entry under alias (jboss) Expected results: Keystore is converted to JCEKS without exception and vault is initialized successfully.
Just raised the Blocker '?' flag for triage.
This will block FSW 6.2, S-RAMP 0.6.1, and RTGov
This issue has been fixed as with other one. I have just tried reproducer to be sure on EAP 6.4.0.ER1. Started with old version of Vault (including .dat files and JKS keystore type). ./bin/vault.sh -k vault-v0/vault-jks.keystore -p secretsecret -e vault-v0/vault_data/ -s 24681359 -i 88 -v thealias -a attribute -x sec_pass ========================================================================= JBoss Vault JBOSS_HOME: /home/pskopek/dev/picketbox/6.4.0.ER1/jboss-eap-6.4 JAVA: /opt/sun/jdk1.7.0_67/bin/java ========================================================================= Jan 19, 2015 5:04:37 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready Secured attribute value has been stored in vault. Please make note of the following: ******************************************** Vault Block:vb Attribute Name:attribute Configuration should be done as follows: VAULT::vb::attribute::1 ******************************************** Vault Configuration in configuration file: ******************************************** ... </extensions> <vault> <vault-option name="KEYSTORE_URL" value="vault-v0/vault-jks.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-0X6MP2urfgJoRURxC5tsFw"/> <vault-option name="KEYSTORE_ALIAS" value="thealias"/> <vault-option name="SALT" value="24681359"/> <vault-option name="ITERATION_COUNT" value="88"/> <vault-option name="ENC_FILE_DIR" value="vault-v0/vault_data/"/> </vault><management> ... ******************************************** # result of conversion: $ ll vault-v0/vault_data/ -rw-rw-r--. 1 pskopek pskopek 1278 Jan 19 17:04 ENC.dat.original -rw-rw-r--. 1 pskopek pskopek 1428 Jan 19 17:04 VAULT.dat # keystore conversion including save of original alias: $ keytool -list -keystore vault-v0/vault-jks.keystore -storepass secretsecret -storetype JCEKS Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 2 entries thealias, Jan 19, 2015, SecretKeyEntry, thealias-original, Jan 19, 2015, PrivateKeyEntry, Certificate fingerprint (SHA1): 56:CC:EC:B9:65:9F:0D:D1:CD:F2:6C:C5:1A:56:9A:74:5E:45:B6:EE
This still fails for me on both 6.4.0.ER1 and 6.4.0.Alpha1 [java] Storing a password in the password vault. [java] java.lang.Exception: Exception encountered:java.lang.RuntimeException: PBOX000137: Security Vault does not contain SecretKey entry under alias (vault) [java] at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:194) [java] at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:212) [java] at org.overlord.commons.auth.jboss7.tools.AuthTool.storePassword(AuthTool.java:97) [java] at org.overlord.commons.auth.jboss7.tools.AuthTool.main(AuthTool.java:45) [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [java] at java.lang.reflect.Method.invoke(Method.java:606) [java] at org.jboss.modules.Module.run(Module.java:312) [java] at org.jboss.modules.Main.main(Main.java:473) [java] Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX000137: Security Vault does not contain SecretKey entry under alias (vault) [java] at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:487) [java] at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:214) [java] at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:191) [java] ... 9 more [java] Caused by: java.lang.RuntimeException: PBOX000137: Security Vault does not contain SecretKey entry under alias (vault) [java] at org.picketbox.plugins.vault.PicketBoxSecurityVault.setUpVault(PicketBoxSecurityVault.java:379) [java] at org.picketbox.plugins.vault.PicketBoxSecurityVault.readVaultContent(PicketBoxSecurityVault.java:482) [java] ... 11 more
For what it's worth, this the ant task that's causing the issue. It's a little hard to read, but can at least give you an idea as to what we're doing: <java jar="${overlord-commons.appserver.dir}/jboss-modules.jar" fork="true" dir="${overlord-commons.appserver.dir}" failonerror="true" maxmemory="128m"> <arg value="-mp"/> <arg value="${overlord-commons.jboss.module-path}"/> <arg value="org.overlord.commons.overlord-commons-auth-tool"/> <arg value="storepassword"/> <arg value="-vaultdir"/> <arg value="${overlord-commons.appserver.dir}/vault/"/> <arg value="-keystore"/> <arg value="${overlord-commons.jboss.config.dir}/vault.keystore"/> <arg value="-storepass"/> <arg value="${overlord-commons.vault.password}"/> <arg value="-alias"/> <arg value="vault"/> <arg value="-salt"/> <arg value="8675309K"/> <arg value="-count"/> <arg value="50"/> <arg value="-name"/> <arg value="saml-keystore.password"/> <arg value="-password"/> <arg value="${overlord-commons.saml-keystore.password}"/> <arg value="-block"/> <arg value="overlord"/> <arg value="-propertyfile"/> <arg value="${overlord-commons.tmp.file}"/> <arg value="-property"/> <arg value="overlord-commons.saml-keystore.password.hash"/> </java>
Problem is that you have JKS type keystore and VAULT.dat secured attributes storage. This combination cannot be supported, because JKS keystore can contain only PrivateKey entries and for SecretKey entries you need JCEKS. Older versions of PicketBox Vault have to consist of JKS keystore and ENC.dat and Shared.dat files. Newer versions of the Vault consist of JCEKS keystore and VAULT.dat file. Exception in your case is generated because VAULT.dat file is present and Vault implementation is going to fetch SecretKey entry from keystore which is not there (your keystore contain only PrivateKey entry). The state you have your Vault right now might happen during some kind of failure during start of Vault.