Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2457

Swallowed exception in KeyStoreCredentialStore.flush

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 2.2.0.Final
    • 1.20.2.Final
    • Credential Store
    • None
    • Hide

      Follow the documentation to configure FIPS in jdk-8. But when creating the key do not create it AES:

      $JAVA_HOME/bin/keytool -genseckey -alias my-key -storetype PKCS11

      After that when creating the credential-store you will see the external is never created but no error is displayed:

      /subsystem=elytron/credential-store=cs:add(implementation-properties={keyStoreType => PKCS11, external => true, keyAlias => my-key, externalPath => /path/to/external.cs}, modifiable=true, credential-reference={clear-text=XXXX}, create=true)
{"outcome" => "success"}
/subsystem=elytron/credential-store=cs:add-alias(alias=alias, secret-value=supersecret)
{"outcome" => "success"}
/subsystem=elytron/credential-store=cs:read-aliases
{
    "outcome" => "success",
    "result" => ["alias"]
}
reload
/subsystem=elytron/credential-store=cs:read-aliases
{
    "outcome" => "success",
    "result" => []
}

      After the reload the cs has no aliases because the external file was never created/written.

      Show
      Follow the documentation to configure FIPS in jdk-8. But when creating the key do not create it AES: $JAVA_HOME/bin/keytool -genseckey -alias my-key -storetype PKCS11 After that when creating the credential-store you will see the external is never created but no error is displayed: /subsystem=elytron/credential-store=cs:add(implementation-properties={keyStoreType => PKCS11, external => true , keyAlias => my-key, externalPath => /path/to/external.cs}, modifiable= true , credential-reference={clear-text=XXXX}, create= true ) { "outcome" => "success" } /subsystem=elytron/credential-store=cs:add-alias(alias=alias, secret-value=supersecret) { "outcome" => "success" } /subsystem=elytron/credential-store=cs:read-aliases { "outcome" => "success" , "result" => [ "alias" ] } reload /subsystem=elytron/credential-store=cs:read-aliases { "outcome" => "success" , "result" => [] } After the reload the cs has no aliases because the external file was never created/written.

      KeyStoreCredentialStore class in the flush method swallows the exception if the cancel method works successfully. The result is that the flush finishes successfully although the file was not written.

      In my case I was testing NSS FIPS with external storage like in the documentation but I created a key that was not AES, so the exception was swallowed and the external file not created. After a reboot the alias was lost.

      After adding the throw again the error in the server is the following:

      14:51:35,677 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add-alias") failed - address: ([
    ("subsystem" => "elytron"),
    ("credential-store" => "cs")
]) - failure description: "WFLYELY00009: Unable to complete operation. 'ELY09513: Unable to flush credential store to storage->Key algorithm must be AES'"

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: