Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 8.0 Update 11
Component/s: JDR, Security
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.0.z.GA
Workaround Description:
Hide

When executing jdr.sh, Specify the active management interface host and port explicitly. This allow it to connect to the running instance instead of relying on the embedded server:

$ ./bin/jdr.sh -H <management_ip> -p <management_port>

Note: As this workaround requires a running JBoss EAP instance in order to gather the JDR report, jdr.sh cannot be executed when JBoss EAP instance is stopped.
Show
When executing jdr.sh, Specify the active management interface host and port explicitly. This allow it to connect to the running instance instead of relying on the embedded server: $ ./bin/jdr.sh -H <management_ip> -p <management_port> Note: As this workaround requires a running JBoss EAP instance in order to gather the JDR report, jdr.sh cannot be executed when JBoss EAP instance is stopped.
Steps to Reproduce:
Hide

Steps to Reproduce:

1. Configure a `credential-store` and an `expression-resolver` in the Elytron subsystem in JBoss-CLI.

example JBoss CLI commands

/subsystem=elytron/secret-key-credential-store=examplePropertiesCredentialStore:add(path=example-credential-store.jceks,relative-to=jboss.server.config.dir) /subsystem=elytron/secret-key-credential-store=examplePropertiesCredentialStore:export-secret-key(alias=key) /subsystem=elytron/expression=encryption:add(resolvers=[{name=example-resolver, credential-store=examplePropertiesCredentialStore, secret-key=key}])

example elytron config

<subsystem xmlns="urn:wildfly:elytron:18.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> ...(snip)... <credential-stores> <secret-key-credential-store name="examplePropertiesCredentialStore" relative-to="jboss.server.config.dir" path="example-credential-store.jceks"/> </credential-stores> <expression-resolver> <resolver name="example-resolver" credential-store="examplePropertiesCredentialStore" secret-key="key"/> </expression-resolver> ...(snip)...

2. Define a system property in "standalone.xml" using an encrypted expression from that store:

example JBoss CLI commands

/subsystem=elytron/expression=encryption:create-expression(resolver=example-resolver,clear-text=MyPassword) /system-property=example.encrypted.password:add(value="${ENC::example-resolver:RUxZAUMQ...(generated_encryted_value)...}")

example system properties config

<system-properties> <property name="example.encrypted.password" value="${ENC::example-resolver:RUxZAUMQ...(generated_encryted_value)...}"/> </system-properties>

3. Ensure the JBoss EAP instance is either stopped or the management interface is not listening on the default localhost:9990.

4. Run "./bin/jdr.sh" without specifying host/port (forcing the use of an embedded server).

Actual Results:
The embedded server fails to boot with the following error messages:

ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("system-property" => "javax.net.ssl.keyStorePassword")]) - failure description: "WFLYELY01209: Unable to initialize CredentialStore examplePropertiesCredentialStore -- WFLYELY00924: Unable to create immediately available credential store." FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. - Server configuration file in use: standalone.xml

Expected Results:
The embedded server should be able to initialize the necessary Elytron services (Credential Store) to resolve system properties and successfully generate the JDR report, even when the main server is offline.
Show
Steps to Reproduce: 1. Configure a `credential-store` and an `expression-resolver` in the Elytron subsystem in JBoss-CLI. example JBoss CLI commands /subsystem=elytron/secret-key-credential-store=examplePropertiesCredentialStore:add(path=example-credential-store.jceks,relative-to=jboss.server.config.dir) /subsystem=elytron/secret-key-credential-store=examplePropertiesCredentialStore:export-secret-key(alias=key) /subsystem=elytron/expression=encryption:add(resolvers=[{name=example-resolver, credential-store=examplePropertiesCredentialStore, secret-key=key}]) example elytron config <subsystem xmlns= "urn:wildfly:elytron:18.0" final -providers= "combined-providers" disallowed-providers= "OracleUcrypto" > ...(snip)... <credential-stores> <secret-key-credential-store name= "examplePropertiesCredentialStore" relative-to= "jboss.server.config.dir" path= "example-credential-store.jceks" /> </credential-stores> <expression-resolver> <resolver name= "example-resolver" credential-store= "examplePropertiesCredentialStore" secret-key= "key" /> </expression-resolver> ...(snip)... 2. Define a system property in "standalone.xml" using an encrypted expression from that store: example JBoss CLI commands /subsystem=elytron/expression=encryption:create-expression(resolver=example-resolver,clear-text=MyPassword) /system-property=example.encrypted.password:add(value= "${ENC::example-resolver:RUxZAUMQ...(generated_encryted_value)...}" ) example system properties config <system-properties> <property name= "example.encrypted.password" value= "${ENC::example-resolver:RUxZAUMQ...(generated_encryted_value)...}" /> </system-properties> 3. Ensure the JBoss EAP instance is either stopped or the management interface is not listening on the default localhost:9990. 4. Run "./bin/jdr.sh" without specifying host/port (forcing the use of an embedded server). Actual Results: The embedded server fails to boot with the following error messages: ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("system-property" => "javax.net.ssl.keyStorePassword")]) - failure description: "WFLYELY01209: Unable to initialize CredentialStore examplePropertiesCredentialStore -- WFLYELY00924: Unable to create immediately available credential store." FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. - Server configuration file in use: standalone.xml Expected Results: The embedded server should be able to initialize the necessary Elytron services (Credential Store) to resolve system properties and successfully generate the JDR report, even when the main server is offline.
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When executing "jdr.sh" on a JBoss EAP 8 instance where system properties (e.g.,
"javax.net.ssl.keyStorePassword") are defined using Elytron encrypted expressions ("${ENC::...}"), the tool fails to generate a report if it cannot connect to a running server.

In such cases, "jdr.sh" attempts to launch an internal *embedded server* to process the request. However, the embedded server fails during the boot process because it cannot initialize the CredentialStore required to resolve the encrypted expressions in the system-properties section.

is cloned by

JBEAP-32308 [GSS](8.1.z) jdr.sh fails to start embedded server when Elytron encrypted expressions is used in system-properties

links to

KCS#7139426

Assignee:: Unassigned

Reporter:: Masafumi Miura

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/03/10 9:57 AM

Updated:: 2026/03/10 10:22 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide