Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3062

Provide better error message on startup if invalid length keystore password used in conjunction with PKCS12 keystore

    Details

      Description

      Scott Aslan discovered an edge case introduced in NIFI-2943 – on a system without the JCE unlimited strength cryptographic jurisdiction policies installed, a PKCS12 keystore with a password longer than 7 characters will fail at start-up. Though this issue is captured when using the TLS Toolkit to generate a keystore (or a client certificate, which is stored in a PKCS12 keystore in order to include the private key), a user could have manually generated a PKCS12 keystore with a password longer than 7 characters using openssl but will not be able to use it in NiFi without installing the JCE USC policies.

      Example output from TLS toolkit in 128-bit mode:

      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 76s @ 19:48:16 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
      2016/11/17 19:48:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
      2016/11/17 19:48:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
      2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
      2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration.
      2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:                                     WARNING!!!!
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Unlimited JCE Policy is not installed which means we cannot utilize a
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: PKCS12 password longer than 7 characters.
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Autogenerated password has been reduced to 7 characters.
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Please strongly consider installing Unlimited JCE Policy at
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Another alternative is to add a stronger password with the openssl tool to the
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out '/tmp/CN=test.p12'
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -export -in '/tmp/CN=test.p12' -out '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: rm -f '/tmp/CN=test.p12'
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
      2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: **********************************************************************************
      2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 28s @ 19:48:45 $
      

      Example output from TLS toolkit in 256-bit mode:

      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔒 320s @ 19:55:16 $ jce_unlimited
      Enabling JCE unlimited strength crypto policy
      /Users/alopresto/Desktop/security/unlimited/US_export_policy.jar -> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./US_export_policy.jar
      /Users/alopresto/Desktop/security/unlimited/local_policy.jar -> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./local_policy.jar
      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔓 235s @ 19:59:12 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
      2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one.
      2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
      2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
      2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration.
      2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 19:59:39 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
      2016/11/17 19:59:39 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully
      hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto
      🔓 4s @ 19:59:40 $
      

      If the application is started in 128-bit mode with the keystore.p12 using a keystore password >= 8 characters, the following error will be printed in $NIFI_HOME/logs/nifi-app.log:

      org.apache.nifi.web.NiFiCoreException: Unable to start Flow Controller.
      	at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93) ~[na:na]
      	at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:837) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:533) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:810) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:231) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.Server.start(Server.java:411) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.Server.doStart(Server.java:378) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675) [nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.NiFi.<init>(NiFi.java:156) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.NiFi.main(NiFi.java:262) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:52) ~[na:na]
      	... 28 common frames omitted
      Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	at org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	... 34 common frames omitted
      Caused by: org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      	at org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:106) ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.controller.FlowController.<init>(FlowController.java:440) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      	... 41 common frames omitted
      Caused by: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
      	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
      	at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
      	at org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:86) ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	... 45 common frames omitted
      2016-11-17 18:35:17,830 INFO [main] /nifi-content-viewer No Spring WebApplicationInitializer types detected on classpath
      2016-11-17 18:35:17,833 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-content-viewer-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:17,836 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,AVAILABLE}
      2016-11-17 18:35:17,907 INFO [main] /nifi-docs No Spring WebApplicationInitializer types detected on classpath
      2016-11-17 18:35:17,909 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@7585531b{/nifi-docs,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-docs-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:17,969 INFO [main] / No Spring WebApplicationInitializer types detected on classpath
      2016-11-17 18:35:17,972 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@6fb8cfa7{/,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-error-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:17,990 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
      java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
      	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
      	at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
      	at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1027) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:333) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.server.Server.doStart(Server.java:390) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
      	at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675) ~[nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.NiFi.<init>(NiFi.java:156) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      	at org.apache.nifi.NiFi.main(NiFi.java:262) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
      2016-11-17 18:35:17,991 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...
      2016-11-17 18:35:17,996 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@464f12de{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
      2016-11-17 18:35:18,003 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@6fb8cfa7{/,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@7585531b{/nifi-docs,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,UNAVAILABLE}
      2016-11-17 18:35:18,010 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,011 INFO [Thread-1] o.a.n.w.c.ApplicationStartupContextListener Initiating shutdown of flow service...
      2016-11-17 18:35:18,018 WARN [Thread-1] o.a.n.w.c.ApplicationStartupContextListener Problem occurred ensuring flow controller or repository was properly terminated due to org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size
      2016-11-17 18:35:18,018 INFO [Thread-1] /nifi-api Closing Spring root WebApplicationContext
      2016-11-17 18:35:18,075 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@814b60b{/nifi-api,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-api-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,206 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@5112b7{/nifi,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-ui-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,213 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@4fd80300{/nifi-update-attribute-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-update-attribute-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-update-attribute-ui-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,218 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@4baf997{/nifi-standard-content-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-standard-content-viewer-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,236 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@750cd36d{/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,239 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@3a0896b3{/nifi-image-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-media-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-image-viewer-1.1.0-SNAPSHOT.war}
      2016-11-17 18:35:18,241 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server shutdown completed (nicely or otherwise).
      

      We should catch the illegal key size exception and print a more helpful error message, as the toolkit does. We should also investigate if the recent change affected prior behavior by changing how BouncyCastle was used to handle keystores. Most users use JKS keystores, but some choose PKCS12. PKCS12 should be discouraged as a format for keystores and truststores in NiFi as it is overly complex and unnecessary.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: