1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

  2. Anuncie Aqui ! Entre em contato fdantas@4each.com.br
Cookies Anuncie aqui Patrocinador Anuncios

[JBoss] Keystore generated by Wildfly is not readable

Discussão em 'StackOverflow' iniciado por Stack, Setembro 24, 2021.

  1. Stack

    Stack Membro Participativo

    I'm using Wildfly 19.1 with Bouncycastle upgraded to version 1.69.

    I have this configuration:

    <security-realm name="SslRealm">
    <server-identities>
    <ssl>
    <engine enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" enabled-protocols="TLSv1.2"/>
    <keystore provider="jks" path=".keystoreFile" relative-to="jboss.server.config.dir" keystore-password="${keystorePassword}" alias="tomcat" key-password="${keystorePassword}" generate-self-signed-certificate-host="localhost"/>
    </ssl>
    </server-identities>
    </security-realm>


    ${keystorePassword} is defined in the <system-properties>. There are no special characters in the password or anything

    The SslRealm is then used in the https-listener configuration. The result is that a keystore is generated on the first https access to the server, and everything works just fine. However, when I stop the server and start it again, I'm getting:

    2021-09-15 18:42:26,094 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SslRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SslRealm.key-manager: Failed to start service
    at org.jboss.msc@1.4.11.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
    at org.jboss.msc@1.4.11.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
    at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:179)
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:128)
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:93)
    at org.jboss.msc@1.4.11.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
    at org.jboss.msc@1.4.11.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
    ... 6 more
    Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:153)
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175)
    ... 10 more
    Caused by: java.io.IOException: keystore password was incorrect
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116)
    at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
    at java.base/java.security.KeyStore.load(KeyStore.java:1479)
    at org.jboss.as.domain-management@11.1.1.Final//org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:112)
    ... 11 more
    Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    ... 15 more


    Whether I'm using jks or pkcs12 for the provider, or just leave it out, doesn't matter. The keystore file also cannot be read by keytool from the command line: keytool error: java.io.IOException: keystore password was incorrect

    What am I doing wrong?

    Why is the error implying that Wildfly is attempting to load the keystore as pkcs12 if the provider in standalone.xml is set to jks? Are there other places in standalone.xml where the keystore provider would need to be set?

    Continue reading...
    Stack, Setembro 24, 2021
    #1

Compartilhe esta Página