Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2879

UnrecoverableKeyException: Cannot recover key when using Credential Reference

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta24
    • None
    • Security
    • None

      Unable to configure ssl using credential reference.

      Unable to find source-code formatter for language: server.log. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      08:00:24,687 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ManagementWebRealmCr.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ManagementWebRealmCr.key-manager: WFLYDM0018: Unable to start service
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:91)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.security.UnrecoverableKeyException: Cannot recover key
      	at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
      	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
      	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
      	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
      	at java.security.KeyStore.getKey(KeyStore.java:1023)
      	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
      	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
      	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:136)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
      	... 5 more
      
      08:00:24,692 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443
      08:00:24,696 INFO  [org.jboss.ws.common.management] (MSC service thread 1-4) JBWS022052: Starting JBossWS 5.1.8.Final-redhat-1 (Apache CXF 3.1.11.redhat-1) 
      08:00:24,702 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
          ("core-service" => "management"),
          ("security-realm" => "ManagementWebRealmCr")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.core.management.security.realm.ManagementWebRealmCr.key-manager" => "WFLYDM0018: Unable to start service
          Caused by: java.security.UnrecoverableKeyException: Cannot recover key"}}
      

      When I use key-password instead of key-password-credential-reference I am able to make it work.

      /core-service=management/security-realm=ManagementWebRealmCr/server-identity=ssl:add(keystore-path=server.keystore, keystore-relative-to=jboss.server.config.dir,keystore-password-credential-reference={clear-text=123456}, key-password=123456)
      

      Note, I also get UnrecoverableKeyException: Cannot recover key when I don't specify key-password nor key-password-credential-reference.

      /core-service=management/security-realm=ManagementWebRealmCr/server-identity=ssl:add(keystore-path=server.keystore, keystore-relative-to=jboss.server.config.dir,keystore-password-credential-reference={clear-text=123456})
      

      In legacy if key-password is ommitted keystore-password is used instead.

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: