You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2019/03/04 16:18:00 UTC
[jira] [Created] (KNOX-1801) Master secret is incorrectly assumed
when a custom truststore is not specified when clientauth is enabled
Robert Levas created KNOX-1801:
----------------------------------
Summary: Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled
Key: KNOX-1801
URL: https://issues.apache.org/jira/browse/KNOX-1801
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.3.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 1.3.0
Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
*Steps to reproduce*
# Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
# Specify the custom TLS keystore details in {{gateway-site.xml}}
** {{gateway.tls.keystore.password.alias}}
** {{gateway.tls.keystore.path}}
** {{gateway.tls.keystore.type}}
** {{gateway.tls.key.alias}}
** {{gateway.tls.key.passphrase.alias}} (optional)
# Turn on client-auth
** {{gateway.client.auth.needed}} : {{true}}
# Create password alias for the custom keystore using Knox CLI
** {{bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>}}
# (Re)Start the Gateway
The Gateway will fail to start with the following error in the gateway.log:
{noformat}
2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257)
at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222)
at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373)
at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520)
at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308)
at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 17 more
{noformat}
*Solution*
Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)