Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13978

(7.1.z) External CS, PKCS11 can't be configured with externalPath (WFCORE)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.3.CR1, 7.1.3.GA
    • 7.1.0.CR4
    • Security
    • None
    • Documentation (Ref Guide, User Guide, etc.)
    • CR1
    • Workaround Exists
    • Hide
      • use location instead of externalPath. Because if external=true then externalPath defaults to location. 
        /subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, keyAlias => my-key})
      • create location path manually. PKCS11 probably ignores this
      Show
      use location instead of externalPath. Because if external=true then externalPath defaults to location. /subsystem=elytron/credential-store=fips-credential-store:add(location => /external/secure-data-file, credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , keyAlias => my-key}) create location path manually. PKCS11 probably ignores this
    • Hide
      • run EAP with PKCS11 FIPS java
      • /subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create=true, modifiable=true, implementation-properties={keyStoreType => PKCS11, external => true, externalPath => /external/secure-data-file, keyAlias => my-key})
{
    "outcome" => "failed",
    "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
    Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
    Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}},
    "rolled-back" => true
}
      Show
      run EAP with PKCS11 FIPS java /subsystem=elytron/credential-store=fips-credential-store:add(credential-reference={clear-text => pass123+}, create= true , modifiable= true , implementation-properties={keyStoreType => PKCS11, external => true , externalPath => /external/secure-data-file, keyAlias => my-key}) { "outcome" => "failed" , "failure-description" => { "WFLYCTL0080: Failed services" => { "org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service. Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/eap-versions/7.1.0.CR2/jboss-eap-7.1/bin/fips-credential-store"}}, "rolled-back" => true }
    • EAP 7.1.3

      To specify external secret file location externalPath is intended. However in case of PKCS11 it can't be achieved.

      10:53:03,403 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:954)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:828)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:214)
	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
	... 5 more
Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store
	at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
	at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
	at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
	at java.nio.file.Files.newByteChannel(Files.java:361)
	at java.nio.file.Files.newByteChannel(Files.java:407)
	at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
	at java.nio.file.Files.newInputStream(Files.java:152)
	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:943)
	... 9 more

10:53:03,409 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("credential-store" => "fips-credential-store")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store.fips-credential-store" => "WFLYELY00004: Unable to start the service.
    Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
    Caused by: java.nio.file.NoSuchFileException: /home/mchoma/workspace/git-repositories/tests-security/fips/fips-credential-store"}}

      Problem seems to be in method

      KeyStoreCredentialStore.java
          private void setupExternalStorage(final String keyContainingKeyStoreType, final Path keyContainingKeyStoreLocation) throws CredentialStoreException {
        KeyStore keyContainingKeyStore = getKeyStoreInstance(keyContainingKeyStoreType);
        keyStore = getKeyStoreInstance("JCEKS");
        externalStorage = new ExternalStorage();
        try {
            final char[] storePassword = getStorePassword(protectionParameter);
            if (keyContainingKeyStoreLocation != null) {
                try (InputStream is = Files.newInputStream(keyContainingKeyStoreLocation)) {
                    keyContainingKeyStore.load(is, storePassword);
                }
            } else {
                // keystore without file (e.g. PKCS11)
                synchronized (EmptyProvider.getInstance()) {
                    keyContainingKeyStore.load(null, storePassword);
                }
            }
            externalStorage.init(cryptographicAlgorithm, encryptionKeyAlias, keyContainingKeyStore, storePassword, keyStore);
        } catch(IOException | GeneralSecurityException e) {
            throw log.cannotInitializeCredentialStore(e);
        }
    }

      Although location is not specified in CLI command keyContainingKeyStoreLocation is not null. Because once location is not specified it becomes name of CS, in this case fips-credential-store (This default is in elytron subsystem).

            rhn-support-ivassile Ilia Vassilev
            rhn-support-ivassile Ilia Vassilev
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: