Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4965

Error loading a PKCS12 keystore inside a security-realm when using a credential-reference

    Details

    • Steps to Reproduce:
      Hide
      • Create a PKCS12 keystore with a certificate (alias jboss).
      • Create a credential-store to get the password for the store:
      ./elytron-tool.sh credential-store --location ../standalone/configuration/sample-store.jceks --create --password XXXXX
      ./elytron-tool.sh credential-store --location ../standalone/configuration/sample-store.jceks --password XXXXX --add p12-password --secret YYYYY
      
      • Create the cred-store and the certificate security-realm obtaining the password from the cred-store:
      /subsystem=elytron/credential-store=sample-store:add(location="${jboss.server.config.dir}/sample-store.jceks", credential-reference={clear-text=XXXXX})
      /core-service=management/security-realm=CertificateRealm:add()
      /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="jboss", keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password})
      
      Show
      Create a PKCS12 keystore with a certificate (alias jboss ). Create a credential-store to get the password for the store: ./elytron-tool.sh credential-store --location ../standalone/configuration/sample-store.jceks --create --password XXXXX ./elytron-tool.sh credential-store --location ../standalone/configuration/sample-store.jceks --password XXXXX --add p12-password --secret YYYYY Create the cred-store and the certificate security-realm obtaining the password from the cred-store: /subsystem=elytron/credential-store=sample-store:add(location="${jboss.server.config.dir}/sample-store.jceks", credential-reference={clear-text=XXXXX}) /core-service=management/security-realm=CertificateRealm:add() /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="jboss", keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password})
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide
      • Define the security-realm with both references for keystore and for key (although they are the same, just define both of them). Like this:
      /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="jboss", keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password}, key-password-credential-reference={store=sample-store, alias=p12-password})
      
      • Do not use the alias option and let the server choose any certificate inside the realm.
      /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password})
      
      Show
      Define the security-realm with both references for keystore and for key (although they are the same, just define both of them). Like this: /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(alias="jboss", keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password}, key-password-credential-reference={store=sample-store, alias=p12-password}) Do not use the alias option and let the server choose any certificate inside the realm. /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore.p12", keystore-password-credential-reference={store=sample-store, alias=p12-password})

      Description

      When using a security-realm configured with SSL like this:

      <security-realm name="CertificateRealm">
          <server-identities>
              <ssl>
                  <keystore provider="PKCS12" path="${jboss.server.config.dir}/keystore.p12" alias="jboss">
                      <keystore-password-credential-reference store="sample-store" alias="p12-password"/>
                  </keystore>
               </ssl>
          </server-identities>
      </security-realm>
      

      The EAP startup fails with the following exception:

      org.wildfly.core.management.security.realm.CertificateRealm.key-manager: Failed to start service
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.NullPointerException: invalid null input
      	at java.security.KeyStore$PrivateKeyEntry.<init>(KeyStore.java:524)
      	at sun.security.pkcs12.PKCS12KeyStore.engineGetEntry(PKCS12KeyStore.java:1311)
      	at sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172)
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70)
      	at java.security.KeyStore.getEntry(KeyStore.java:1521)
      	at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:134)
      	at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:128)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:93)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
      	... 6 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhn-support-rmartinc Ricardo Martin Camarero
                  Reporter:
                  rhn-support-rmartinc Ricardo Martin Camarero
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: