Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1460

External CS, PKCS11 can't be configured with externalPath

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.2.0.Beta12
    • 1.2.0.Beta10
    • KeyStores
    • None
    • Hide
      • run EAP with PKCS11 FIPS java
      • /subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, externalPath => /external/secure-data-file, keyAlias => my-key})
        {
            "outcome" => "failed",
            "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
            Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
            Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}},
            "rolled-back" => true
        }
        
      Show
      run EAP with PKCS11 FIPS java /subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , externalPath => /external/secure-data-file, keyAlias => my-key}) { "outcome" => "failed" , "failure-description" => { "WFLYCTL0080: Failed services" => { "org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}}, "rolled-back" => true }
    • Workaround Exists
    • Hide
      • use location instead of externalPath. Because if external=true then externalPath defaults to location.
        /subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, keyAlias => my-key})
        
      • create location path manually. PKCS11 probably ignores this
      Show
      use location instead of externalPath. Because if external=true then externalPath defaults to location. /subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , keyAlias => my-key}) create location path manually. PKCS11 probably ignores this

      To specify external secret file location externalPath is intended. However in case of PKCS11 it can't be achieved.

      10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
      	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214)
      	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
      	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
      	... 5 more
      Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store
      	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
      	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
      	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
      	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
      	at java.nio.file.Files.newByteChannel(Files.java:361)
      	at java.nio.file.Files.newByteChannel(Files.java:407)
      	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
      	at java.nio.file.Files.newInputStream(Files.java:152)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943)
      	... 9 more
      
      10:53:03,409 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("credential-store" => "fips-credential-store")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
          Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
          Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}
      

      Problem seems to be in method

      KeyStoreCredentialStore.java
          private void setupExternalStorage(final String keyContainingKeyStoreType, final Path keyContainingKeyStoreLocation) throws CredentialStoreException {
              KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType);
              keyStore = getKeyStoreInstance("JCEKS");
              externalStorage = new ExternalStorage();
              try {
                  final char[] storePassword = getStorePassword(protectionParameter);
                  if (keyContainingKeyStoreLocation != null) {
                      try (InputStream is = Files.newInputStream(keyContainingKeyStoreLocation)) {
                          keyContainingKeyStore.load(is, storePassword);
                      }
                  } else {
                      // keystore without file (e.g. PKCS11)
                      synchronized (EmptyProvider.getInstance()) {
                          keyContainingKeyStore.load(null, storePassword);
                      }
                  }
                  externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias, keyContainingKeyStore, storePassword, keyStore);
              } catch(IOException | GeneralSecurityException e) {
                  throw log.cannotInitializeCredentialStore(e);
              }
          }
      

      Although location is not specified in CLI command keyContainingKeyStoreLocation is not null. Because once location is not specified it becomes name of CS, in this case fips-credential-store (This default is in elytron subsystem).

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: