You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2019/03/05 17:07:00 UTC
[jira] [Work started] (KNOX-1801) Master secret is incorrectly
assumed when a custom truststore is not specified when clientauth is
enabled
[ https://issues.apache.org/jira/browse/KNOX-1801?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on KNOX-1801 started by Robert Levas.
------------------------------------------
> Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled
> ---------------------------------------------------------------------------------------------------------
>
> Key: KNOX-1801
> URL: https://issues.apache.org/jira/browse/KNOX-1801
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.3.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Major
> Fix For: 1.3.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
> *Steps to reproduce*
> # Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
> # Specify the custom TLS keystore details in {{gateway-site.xml}}
> ** {{gateway.tls.keystore.password.alias}}
> ** {{gateway.tls.keystore.path}}
> ** {{gateway.tls.keystore.type}}
> ** {{gateway.tls.key.alias}}
> ** {{gateway.tls.key.passphrase.alias}} (optional)
> # Turn on client-auth
> ** {{gateway.client.auth.needed}} : {{true}}
> # Create password alias for the custom keystore using Knox CLI
> ** {{bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>}}
> # (Re)Start the Gateway
> The Gateway will fail to start with the following error in the gateway.log:
> {noformat}
> 2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
> java.io.IOException: keystore password was incorrect
> at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
> at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
> at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
> at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
> at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
> Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
> ... 17 more
> {noformat}
> *Solution*
> Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)