Error while retrieving variable from vault - domain mode
pplopez Aug 31, 2016 12:10 PMHi guys, I'm having trouble with JBoss' vault. I've just created the keystore, the vault, configured JBoss to use the vault, and actually I can add a system property with its value referencing the vault, but when I start the server it fails, throwing this exception:
ERROR [org.jboss.as.controller.management-operation] (Host Controller Service Threads - 58) JBAS014612: Operation ("start") failed - address: ([
("host" => "HOST_XXX"),
("server-config" => "SERVER_XXX")
java.lang.SecurityException: JBAS013311: Security Exception
at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115) [jboss-as-security-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) [jboss-as-server-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:319) [jboss-as-controller-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
....more exception trace
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
at org.jboss.as.security.vault.RuntimeVaultReader.getValue(RuntimeVaultReader.java:141) [jboss-as-security-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
at org.jboss.as.security.vault.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:123) [jboss-as-security-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:113) [jboss-as-security-7.5.6.Final-redhat-2.jar:7.5.6.Final-redhat-2]
... 38 more
[Host Controller] [31mCaused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(Cipher.java:2161) [jce.jar:1.8.0_20]
at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
... 41 more
(Didn't show the full stack trace, in case you need it just let me know)
Next, the steps I've followed:
Step one:
keytool -genseckey -alias jbossvault -storetype jceks -keyalg AES -keysize 256 -keystore /some/path/jbvault.ks (same value for both keystore password and alias password)
Step two:
./vault.sh
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files:/some/path/
Enter Keystore URL:/some/path/jbvault.ks
Enter Keystore password: {password, just alphanumeric characters}
Enter Keystore password again: {password, just alphanumeric characters}
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):25
Enter Keystore Alias:jbossvault
Initializing Vault
Aug 30, 2016 2:45:34 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
Step three:
/host=MY_HC_NAME/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/some/path/jbvault.ks"), ("KEYSTORE_PASSWORD" => "MASKED_VALUE"), ("KEYSTORE_ALIAS" => "jbossvault"), ("SALT" => "12345678"),("ITERATION_COUNT" => "25"), ("ENC_FILE_DIR" => "/some/path/")])
Step four:
Add to host.xml and host-slave.xml the next <vault> element:
<vault>
<vault-option name="KEYSTORE_URL" value="/some/path/jbvault.ks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASKED_VALUE"/>
<vault-option name="KEYSTORE_ALIAS" value="jbossvault"/>
<vault-option name="SALT" value="12345678"/>
<vault-option name="ITERATION_COUNT" value="25"/>
<vault-option name="ENC_FILE_DIR" value="/some/path/ "/>
</vault>
Then I run again ./vault.sh, enter the same data as Step two, and in the menu it shows (Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Remove secured attribute 3: Exit), I choose 0, enter the required values, and that's all with the vault (of course, taking note of the values below "Configuration should be done as follows:").
For the system property, I stop the server, put the value specified by the vault.sh script inside ${}, and when I start the servers I get the "Security Exception".
Can anyone give me a hint about what could be the reason of the error?
PS: if I select the option "Check whether a secured attribute exists" and enter the values, it founds the variable in the vault.