Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13842

[GSS](7.0.z) ERROR in logs while using vault in system properties

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • 7.0.10.GA
    • 7.0.6.GA
    • None
    • None
    • Hide

      (1) set up the vault

      (2) set the javax.net.ssl.trustStorePassword property in the system-properties using the password from the vault. This would look like (in standalone*.xml/domain.xml):

      <system-properties>
              <property name="javax.net.ssl.trustStore" value="/home/jboss-eap-7.1/vault/vault.keystore"/>
              <property name="javax.net.ssl.trustStorePassword" value="${VAULT::datasource::password::1}"/>
      </system-properties>
      
      <vault>
        <vault-option name="KEYSTORE_URL" value="/home/jboss-eap-7.1/vault/vault.keystore"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-2GAtdnlXL8H"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="12345678"/>
        <vault-option name="ITERATION_COUNT" value="44"/>
        <vault-option name="ENC_FILE_DIR" value="/home/jboss-eap-7.1/vault/"/>
      </vault>
      
      Show
      (1) set up the vault (2) set the javax.net.ssl.trustStorePassword property in the system-properties using the password from the vault. This would look like (in standalone*.xml/domain.xml): <system-properties> <property name= "javax.net.ssl.trustStore" value= "/home/jboss-eap-7.1/vault/vault.keystore" /> <property name= "javax.net.ssl.trustStorePassword" value= "${VAULT::datasource::password::1}" /> </system-properties> <vault> <vault-option name= "KEYSTORE_URL" value= "/home/jboss-eap-7.1/vault/vault.keystore" /> <vault-option name= "KEYSTORE_PASSWORD" value= "MASK-2GAtdnlXL8H" /> <vault-option name= "KEYSTORE_ALIAS" value= "vault" /> <vault-option name= "SALT" value= "12345678" /> <vault-option name= "ITERATION_COUNT" value= "44" /> <vault-option name= "ENC_FILE_DIR" value= "/home/jboss-eap-7.1/vault/" /> </vault>

      Getting below ERROR message in server.log when Picketbox Vault expressions used in system properties.:

      ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0230: Vault is not initialized; resolution of vault expressions is not possible
      

      Below expressions are resolving fine but due to race condition this ERROR message got printed in the logs.

      <system-properties>
              <property name="javax.net.ssl.trustStore" value="/home/jboss-eap-7.1/vault/vault.keystore"/>
              <property name="javax.net.ssl.trustStorePassword" value="${VAULT::datasource::password::1}"/>
      </system-properties>
      
      <vault>
        <vault-option name="KEYSTORE_URL" value="/home/jboss-eap-7.1/vault/vault.keystore"/>
        <vault-option name="KEYSTORE_PASSWORD" value="MASK-2GAtdnlXL8H"/>
        <vault-option name="KEYSTORE_ALIAS" value="vault"/>
        <vault-option name="SALT" value="12345678"/>
        <vault-option name="ITERATION_COUNT" value="44"/>
        <vault-option name="ENC_FILE_DIR" value="/home/jboss-eap-7.1/vault/"/>
      </vault>
      

      Expression is actually resolving to the correct value and that can be check using below CLI command :

      /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties).
      

      Also please note:

      (1) this error occurs both for standalone server (standalone*.xml case) and domain mode (domain.xml) and for domain mode the error occurs even when the boot-time system property is set to false

      (2) this was tested for EAP 7.0 using CP5, CP6, CP7, CP8 and it works as expected with CP5 but the bug starts in EAP 7.0.6 (CP6).

      (3) referring to (2) above it is possible that this bug may have been caused by CP6 vault fix for: https://issues.jboss.org/browse/JBEAP-8247

      (4) please note that this bug is carried forward to EAP7.1Beta as per: https://issues.jboss.org/browse/JBEAP-13116

              chaowan@redhat.com Chao Wang
              rhn-support-ialex Ian Alex (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: