-
Bug
-
Resolution: Done
-
Critical
-
1.2.0.Beta10
-
None
-
-
Workaround Exists
-
To specify external secret file location externalPath is intended. However in case of PKCS11 it can't be achieved.
10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214) at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159) at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126) ... 5 more Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214) at java.nio.file.Files.newByteChannel(Files.java:361) at java.nio.file.Files.newByteChannel(Files.java:407) at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384) at java.nio.file.Files.newInputStream(Files.java:152) at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943) ... 9 more 10:53:03,409 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("credential-store" => "fips-credential-store") ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}
Problem seems to be in method
KeyStoreCredentialStore.java
private void setupExternalStorage(final String keyContainingKeyStoreType, final Path keyContainingKeyStoreLocation) throws CredentialStoreException { KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType); keyStore = getKeyStoreInstance("JCEKS"); externalStorage = new ExternalStorage(); try { final char[] storePassword = getStorePassword(protectionParameter); if (keyContainingKeyStoreLocation != null) { try (InputStream is = Files.newInputStream(keyContainingKeyStoreLocation)) { keyContainingKeyStore.load(is, storePassword); } } else { // keystore without file (e.g. PKCS11) synchronized (EmptyProvider.getInstance()) { keyContainingKeyStore.load(null, storePassword); } } externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias, keyContainingKeyStore, storePassword, keyStore); } catch(IOException | GeneralSecurityException e) { throw log.cannotInitializeCredentialStore(e); } }
Although location is not specified in CLI command keyContainingKeyStoreLocation is not null. Because once location is not specified it becomes name of CS, in this case fips-credential-store (This default is in elytron subsystem).
- causes
-
ELY-1576 Wildfly Elytron Tool, location is required even for non-filebased type e.g. PKCS11
- Resolved
- clones
-
JBEAP-13441 (7.1.z) External CS, PKCS11 can't be configured with externalPath
- Closed
- is blocked by
-
WFCORE-3458 External CS, PKCS11 can't be configured with externalPath
- Resolved