Bug 1569958 - [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Summary: [GSS] (6.4.z) Invalid Secret Key when using a vault and JDK 1.8.0_171
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.19
Hardware: Unspecified
OS: Unspecified
Target Milestone: CR1
: EAP 6.4.21
Assignee: Radovan STANCEL
QA Contact: Peter Mackay
Depends On: CVE-2018-2794
Blocks: 1570837 eap6421-payload 1570200
TreeView+ depends on / blocked
Reported: 2018-04-20 11:28 UTC by Ricardo Martin
Modified: 2021-12-10 16:00 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-19 12:44:06 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-14660 0 Major Closed [GSS](7.0.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2020-09-08 01:59:09 UTC
Red Hat Issue Tracker JBEAP-14661 0 Major Closed [GSS](7.1.z) Invalid Secret Key when using a vault and JDK 1.8.0_171 2020-09-08 01:59:09 UTC
Red Hat Knowledge Base (Solution) 3419621 0 None None None 2018-04-20 14:25:46 UTC

Description Ricardo Martin 2018-04-20 11:28:10 UTC
Description of problem:

The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script):

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more

Version-Release number of selected component (if applicable):

6.4.x and JDK 1.8.0_171.

How reproducible:

Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command:

./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd

Additional info:

The info seems to be produced by a change in openjdk. See:


Comment 1 Ricardo Martin 2018-04-20 11:32:51 UTC
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line:

<module name="sun.jdk"/>

to "org/picketbox/main/module.xml" file in the correct CP.

Comment 13 rajveer singh shakya 2019-11-21 05:52:18 UTC
If jboss EAP 7.0.0 is having any issue with start or ldap configuration add dependency <module name="sun.jdk"/> to below file

After apply Patch (jboss-eap-7.0.9-patch.zip) if jboss EAP server did not come up then add dependency <module name="sun.jdk"/> in below file


The above solution I have tested at my end and its working fine.

Please let me know if any other solution is also available fo jboss EAP 7.0

Rajveer Singh Shakya

Note You need to log in before you can comment on or make changes to this bug.