Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11821

Alias from dependent credential store is not avalaible on server start

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.CR1
    • 7.1.0.ER1
    • Security
    • None
    • Hide 
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git
cd tests-security/fips

./build-fips.sh clean test   -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository   -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip   -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore=true -Dtest=ExternalCsTestCase -DtestLogToFile=false

      To prepare maven.repo.local

      wget http://download-ipv4.eng.brq.redhat.com/devel/candidates/JBEAP/JBEAP-7.1.0-ER2.2/jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip

unzip jboss-eap-7.1.0.ER2.2-maven-repository.zip
unzip jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip

cp -r -v eap-local-maven-repository jboss-eap-7.1.0.GA-maven-repository/maven-repository/
      Show
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git cd tests-security/fips ./build-fips.sh clean test -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore= true -Dtest=ExternalCsTestCase -DtestLogToFile= false To prepare maven.repo.local wget http: //download-ipv4.eng.brq.redhat.com/devel/candidates/JBEAP/JBEAP-7.1.0-ER2.2/jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip unzip jboss-eap-7.1.0.ER2.2-maven-repository.zip unzip jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip cp -r -v eap-local-maven-repository jboss-eap-7.1.0.GA-maven-repository/maven-repository/

      Testing BouncyCastle external store. Intermittently (25% in lab, 0% locally) it happens alias from dependent credential store is not avalaible on server start.

      15:17:33,317 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:921)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:930)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:821)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:213)
	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
	... 5 more
Caused by: java.security.KeyStoreException: BCFKS not found
	at java.security.KeyStore.getInstance(KeyStore.java:851)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:919)
	... 10 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
	at java.security.Security.getImpl(Security.java:695)
	at java.security.KeyStore.getInstance(KeyStore.java:848)
	... 11 more

      Could that be problem of "late" required service start?

      Although, I don't see similar problem with default JKES credential store, neither PKCS11 external credential store. PKCS11 store is however special case, because is loaded once per jvm.

      Could that be problem of external credential store with file based keystore?

      [1] https://jenkins.hosts.mwqe.eng.bos.redhat.com/hudson/view/EAP7/view/EAP7-Security/view/EAP-7.x-FIPS-mode/job/eap-7x-security-fips-matrix/163/testReport/

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: