Geronimo
  1. Geronimo
  2. GERONIMO-6310

Server can not shutdown or deploy when enable configured encryption and JMX security at the same time

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.1.7, 2.1.8, 3.0-M1, 3.0-beta-1
    • Fix Version/s: 2.1.8
    • Component/s: crypto
    • Security Level: public (Regular issues)
    • Environment:
    • Patch Info:
      Patch Available

      Description

      1.Enable configured encryption and JMX security in config.xml
      2.Start server
      3.Execute "deploy.bat --secure unlockKeystore geronimo-default" or "geronimo.bat stop --secure" and they fail

      2012-03-26 13:30:03,344 ERROR [EditKeystoreHandler] Unable to unlock keystore geronimo-default for editing.
      org.apache.geronimo.management.geronimo.KeystoreException: Unable to open keystore with provided password
      at org.apache.geronimo.security.keystore.FileKeystoreInstance.loadKeystoreData(FileKeystoreInstance.java:664)
      at org.apache.geronimo.security.keystore.FileKeystoreInstance.ensureLoaded(FileKeystoreInstance.java:706)
      at org.apache.geronimo.security.keystore.FileKeystoreInstance.listTrustCertificates(FileKeystoreInstance.java:270)
      at org.apache.geronimo.console.keystores.BaseKeystoreHandler$KeystoreData.unlockEdit(BaseKeystoreHandler.java:252)
      at org.apache.geronimo.console.keystores.EditKeystoreHandler.actionAfterView(EditKeystoreHandler.java:69)
      at org.apache.geronimo.console.MultiPagePortlet.processAction(MultiPagePortlet.java:114)
      at org.apache.pluto.core.PortletServlet.dispatch(PortletServlet.java:218)
      at org.apache.pluto.core.PortletServlet.doPost(PortletServlet.java:145)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646)
      at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:551)
      at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:488)
      at org.apache.pluto.core.DefaultPortletInvokerService.invoke(DefaultPortletInvokerService.java:167)
      at org.apache.pluto.core.DefaultPortletInvokerService.action(DefaultPortletInvokerService.java:85)
      at org.apache.pluto.core.PortletContainerImpl.doAction(PortletContainerImpl.java:219)
      at org.apache.pluto.driver.PortalDriverServlet.doGet(PortalDriverServlet.java:121)
      at org.apache.pluto.driver.PortalDriverServlet.doPost(PortalDriverServlet.java:167)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.geronimo.console.filter.PlutoURLRebuildFilter.doFilter(PlutoURLRebuildFilter.java:48)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:130)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
      at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
      at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:589)
      at org.apache.geronimo.tomcat.valve.ThreadCleanerValve.invoke(ThreadCleanerValve.java:40)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:662)
      Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
      at java.security.KeyStore.load(KeyStore.java:1185)
      at org.apache.geronimo.security.keystore.FileKeystoreInstance.loadKeystoreData(FileKeystoreInstance.java:645)
      ... 45 more
      Caused by: java.security.UnrecoverableKeyException: Password verification failed
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
      ... 48 more

        Activity

        Hide
        Saphen Qiu added a comment - - edited

        This issue occurs when using shutdown or deploy command with "--secure" and encrypt with configured way.Checked that there has no other way to add ConfiguredEncryption gbean to a global module.
        Thus I add ConfiguredEncryption code to crypto package and involve it in EncryptionManager.
        To fix this issue, I also add a system property "-Dorg.apache.geronimo.security.encryption.keyfile" to support defining a keyfile, set this to JAVA_OPTS in system variable, e.g. -Dorg.apache.geronimo.security.encryption.keyfile=D:\artifacts\wasce_ibm60sdk_setup-2.1.1.6-x86_64win\var\security\ConfiguredSecretKey.ser, the value must be a absolute path.

        Show
        Saphen Qiu added a comment - - edited This issue occurs when using shutdown or deploy command with "--secure" and encrypt with configured way.Checked that there has no other way to add ConfiguredEncryption gbean to a global module. Thus I add ConfiguredEncryption code to crypto package and involve it in EncryptionManager. To fix this issue, I also add a system property "-Dorg.apache.geronimo.security.encryption.keyfile" to support defining a keyfile, set this to JAVA_OPTS in system variable, e.g. -Dorg.apache.geronimo.security.encryption.keyfile=D:\artifacts\wasce_ibm60sdk_setup-2.1.1.6-x86_64win\var\security\ConfiguredSecretKey.ser, the value must be a absolute path.
        Hide
        Forrest Xia added a comment -

        Saphen, thank you for providing this patch, I've committed it into 2.1 branch. Before we apply it to other branches and trunk, can we have a better solution for password encryption methods in Geronimo?

        After that, some document could help our users know how to use this feature.

        Thanks again!

        Show
        Forrest Xia added a comment - Saphen, thank you for providing this patch, I've committed it into 2.1 branch. Before we apply it to other branches and trunk, can we have a better solution for password encryption methods in Geronimo? After that, some document could help our users know how to use this feature. Thanks again!
        Hide
        Ivan added a comment -

        Thanks for providing a patch, Saphen.
        I am thinking that we should not introduce the new dependency, also it is better to remove the GBeanLifecycle things in the new class, also, need to update the existing class in geronimo-system to use the new added class.

        Show
        Ivan added a comment - Thanks for providing a patch, Saphen. I am thinking that we should not introduce the new dependency, also it is better to remove the GBeanLifecycle things in the new class, also, need to update the existing class in geronimo-system to use the new added class.
        Hide
        Saphen Qiu added a comment -

        Make some improvments for ConfiguredEncryption:
        1.Remove some works from previous ConfiguredEncryption(geronimo-system) gbean and move to crypto's ConfiguredEncryption class.
        2.Remove geronimo-system dependency from crypto pom, no need to add this.

        Show
        Saphen Qiu added a comment - Make some improvments for ConfiguredEncryption: 1.Remove some works from previous ConfiguredEncryption(geronimo-system) gbean and move to crypto's ConfiguredEncryption class. 2.Remove geronimo-system dependency from crypto pom, no need to add this.
        Hide
        Saphen Qiu added a comment -

        Make some updates

        Show
        Saphen Qiu added a comment - Make some updates
        Hide
        Forrest Xia added a comment -

        Saphen, can you help make patches for 2.2 and 3.0-beta as well? thanks!

        Show
        Forrest Xia added a comment - Saphen, can you help make patches for 2.2 and 3.0-beta as well? thanks!
        Hide
        Saphen Qiu added a comment -

        I see those codes in 2.2 and 3.0-beta are same, just create a patch for all.
        Thanks!

        Show
        Saphen Qiu added a comment - I see those codes in 2.2 and 3.0-beta are same, just create a patch for all. Thanks!
        Hide
        Forrest Xia added a comment -

        This new patch includes some unnecessary code format changes, please ensure just including the code fix changes in the patch. The code format change is irrelated to this issue fix.

        Show
        Forrest Xia added a comment - This new patch includes some unnecessary code format changes, please ensure just including the code fix changes in the patch. The code format change is irrelated to this issue fix.
        Hide
        Saphen Qiu added a comment -

        Hi Forrest, thanks for helping me to review this patch, I have removed unnecessary code format changes and attached a new patch for this jira.

        Show
        Saphen Qiu added a comment - Hi Forrest, thanks for helping me to review this patch, I have removed unnecessary code format changes and attached a new patch for this jira.
        Hide
        Forrest Xia added a comment -

        Saphen, this patch only works for 3.0-beta branch, pls make for 2.1 and 2.2 as well. thanks!

        Show
        Forrest Xia added a comment - Saphen, this patch only works for 3.0-beta branch, pls make for 2.1 and 2.2 as well. thanks!
        Hide
        Saphen Qiu added a comment -

        Attached new patches separately for G2.1,2.2,3.0-beta

        Show
        Saphen Qiu added a comment - Attached new patches separately for G2.1,2.2,3.0-beta
        Hide
        Forrest Xia added a comment -

        Failed to apply 2.1 patch:
        1. There are rejects
        2. After resolved the rejects, compile code with unit test, geronimo-system has a test failure.

        Saphen, can you help ensure those patches really work on your side by compiling and testing them? Anyway, thank you for your effort spent!

        Show
        Forrest Xia added a comment - Failed to apply 2.1 patch: 1. There are rejects 2. After resolved the rejects, compile code with unit test, geronimo-system has a test failure. Saphen, can you help ensure those patches really work on your side by compiling and testing them? Anyway, thank you for your effort spent!

          People

          • Assignee:
            Saphen Qiu
            Reporter:
            Saphen Qiu
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development