You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/08/29 09:15:00 UTC
[jira] [Commented] (SOLR-11690) DIH JdbcDataSource - Problem
decoding encrypted password using encryptKeyFile
[ https://issues.apache.org/jira/browse/SOLR-11690?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16596112#comment-16596112 ]
Jan Høydahl commented on SOLR-11690:
------------------------------------
I had the exact same issue. For me it was solved by using
{code:java}
echo -n "mypassword" > pwd.txt
{code}
instead of what the refGuide says:
{code:java}
echo "mypassword" > pwd.txt
{code}
The {{-n}} flag tells echo to not add a newline, and then it works. So I think this JIRA can result in a documentation fix where we add the {{-n}} flag and make a WARNING box detailing that you need to make sure the file contains ONLY the password and nothing else.
I think the problem has to be solved before running openssl, and cannot be fixed in Java code in DIH. Here is the sequence I'd recommend instead of current docs:
# Create a file with an encryption key
{{echo -n "myencryptionkey" > /var/solr/data/dih-encryptionkey}}
# Use this file name as the "encryptKeyFile" parameter in <dataSource> tag in data-config.xml
# Encrypt your JDBC password into a string to replace the password in the config
{{echo -n "my-jdbc-password" | openssl enc -aes-128-cbc -a -salt -pass file:/var/solr/data/dih-encryptionkey}}
# Insert that string as "password" in the <dataSource> tag in data-config.xml. The string will look something like this
U2FsdGVkX188xHM8QHUbuDapdE3WTLt//Oey9VSRAyE=
This procedure is simpler as it avoids storing the jdbc password to file (which must be deleted again), and you also don't need to type the encryption key twice, as we ask openssl to read the same file that DIH will read later
> DIH JdbcDataSource - Problem decoding encrypted password using encryptKeyFile
> -----------------------------------------------------------------------------
>
> Key: SOLR-11690
> URL: https://issues.apache.org/jira/browse/SOLR-11690
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - DataImportHandler
> Affects Versions: 6.6.2
> Reporter: Rajesh Arumugam
> Assignee: Jan Høydahl
> Priority: Major
> Labels: easyfix
> Fix For: master (8.0), 7.5
>
>
> The password decryption is not working fine because of a bug in JdbcDataSorce.java -> decryptPwd(Context context, Properties initProps) method. The problem is due to bad construction of key string while making a call to CryptoKeys.decodeAES(). Due to this the CryptoKeys throws "*Bad password, algorithm, mode or padding; no salt, wrong number of iterations or corrupted ciphertext.*" exception while trying to decode password.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org