Description
Master secret is incorrectly assumed when a custom truststore is not specified when clientauth is enabled.
Steps to reproduce
- Create custom TLS keystore for Knox with a custom keystore password (not the master secret)
- Specify the custom TLS keystore details in gateway-site.xml
- gateway.tls.keystore.password.alias
- gateway.tls.keystore.path
- gateway.tls.keystore.type
- gateway.tls.key.alias
- gateway.tls.key.passphrase.alias (optional)
- Turn on client-auth
- gateway.client.auth.needed : true
- Create password alias for the custom keystore using Knox CLI
- bin/knoxcli.sh create-alias gateway-identity-keystore-password --value <password>
- (Re)Start the Gateway
The Gateway will fail to start with the following error in the gateway.log:
2019-03-04 11:03:15,921 FATAL knox.gateway (GatewayServer.java:main(168)) - Failed to start gateway: java.io.IOException: keystore password was incorrect java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.knox.gateway.services.security.impl.JettySSLService.loadKeyStore(JettySSLService.java:257) at org.apache.knox.gateway.services.security.impl.JettySSLService.buildSslContextFactory(JettySSLService.java:222) at org.apache.knox.gateway.GatewayServer.createConnector(GatewayServer.java:373) at org.apache.knox.gateway.GatewayServer.start(GatewayServer.java:520) at org.apache.knox.gateway.GatewayServer.startGateway(GatewayServer.java:308) at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:161) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68) at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39) at org.apache.knox.gateway.launcher.Command.run(Command.java:99) at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75) at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 17 more
Solution
Lookup password for the truststore using the appropriate alias name, falling back to the master secret if an alias is not configured or not set.
Attachments
Issue Links
- is caused by
-
KNOX-1756 Knox Gateway TLS Keystore and Alias Should be Configurable
- Closed
- links to