Description of problem: The following exception is thrown when using vault and JDK 1.8.0_171+ (EAP startup and "vault.sh" script): java.lang.Exception: WFLYSEC0045: Exception encountered: at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192) at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210) at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193) at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.modules.Module.run(Module.java:335) at org.jboss.modules.Main.main(Main.java:505) Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore) at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210) at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189) ... 9 more Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore) at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691) at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205) ... 10 more Caused by: java.io.IOException: Invalid secret key format at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856) at java.security.KeyStore.load(KeyStore.java:1445) at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201) at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151) at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688) ... 11 more Version-Release number of selected component (if applicable): 6.4.x and JDK 1.8.0_171. How reproducible: Just create/configure a vault and use JDK 1.8.0_171+, for example doing the following vault command: ./vault.sh -keystore ${JBOSS_HOME}/vault/vault.keystore --keystore-password XXXXX -alias vault --vault-block vb --attribute password --sec-attr YYYYY --enc-dir ${JBOSS_HOME}/vault --iteration 120 --salt 1234abcd Additional info: The info seems to be produced by a change in openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1567126
It seems that now the picketbox module has no access to "sun.jdk" module so it cannot check if the class is wrapped using a "com.sun.crypto.provider.SealedObjectForKeyProtector" as now JDK is checking. So for me it was resolved just adding this dependency line: <module name="sun.jdk"/> to "org/picketbox/main/module.xml" file in the correct CP.
If jboss EAP 7.0.0 is having any issue with start or ldap configuration add dependency <module name="sun.jdk"/> to below file /opt/jbossas/jboss-eap-7.0/modules/system/layers/base/org/picketbox/main/module.xml After apply Patch (jboss-eap-7.0.9-patch.zip) if jboss EAP server did not come up then add dependency <module name="sun.jdk"/> in below file /opt/jbossas/jboss-eap-7.0/modules/system/layers/base/.overlays/layer-base-jboss-eap-7.0.9.CP/org/picketbox/main/module.xml The above solution I have tested at my end and its working fine. Please let me know if any other solution is also available fo jboss EAP 7.0 Thanks, Rajveer Singh Shakya