-
1. Re: Vault password in domain mode (JBoss EAP 7)
mchoma Dec 10, 2018 2:15 AM (in response to gfo44)Seems like vault misconfiguration. There are several similar posts out there.
Search for exception in log. Try to mage working some simple example - e.g. vault in standalone mode. When you will ensure vault configuration is ok. Try to use one vault password in domain mode. (Yes you need vault configuration on all controllers)
-
2. Re: Vault password in domain mode (JBoss EAP 7)
gfo44 Jan 14, 2019 10:36 AM (in response to mchoma)Hello,
I still can't make it work.
Can you please tell me if the following scenario seems good for you. Just an information before that, I am in domain mode. My master is installed and running. When I install my slaves, they push their configuration to the master. Then, for example, to install a slave, I need to run a bash script which will connect to the domain controller and execute JBoss command-line instruction.
1/ During the installation of the domain controller, create the vault file.
2/ Push the configuration to the domain controller (/host=master/core-service=vault:add[...])
3/ During the installation of one of my slaves, create the vault file (a new one, not a duplication of the vault from the domain controller)
4/ Push the configuration to the domain controller (/host=<MY SLAVE HOST>/core-service=vault:add[...])
5/ Add passwords to my slaves vaults
6/ Push passwords to my domain controller's vault (I run a bash script on my domain controller through a SSH connection, then my master keystore knows all the passwords and the slaves only passwords they need to know)
7/ Push my vaults in my domain controller's configuration (for example: profile=SLAVE_PROFILE/subsystem=datasources/xa-data-source=MY_DS:write-attribute(name=password, value="${VAULT::vb::password::1}"))
8/ I try to access my slave's app and I have this in logs:
@
ang.SecurityException: WFLYSRV0228: security exception
at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:118)
at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:331)
at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:240)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:142)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:84)
at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:66)
at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:580)
at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:539)
at org.jboss.as.host.controller.ManagedServerBootCmdFactory.resolveExpressions(ManagedServerBootCmdFactory.java:178)
at org.jboss.as.host.controller.ManagedServerBootCmdFactory.<init>(ManagedServerBootCmdFactory.java:105)
at org.jboss.as.domain.controller.operations.SyncServerStateOperationHandler$1.execute(SyncServerStateOperationHandler.java:93)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:890)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:659)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344)
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392)
at org.jboss.as.controller.AbstractControllerService.internalExecute(AbstractControllerService.java:408)
at org.jboss.as.host.controller.DomainModelControllerService.access$900(DomainModelControllerService.java:179)
at org.jboss.as.host.controller.DomainModelControllerService$InternalExecutor.execute(DomainModelControllerService.java:1238)
at org.jboss.as.host.controller.RemoteDomainConnectionService.applyRemoteDomainModel(RemoteDomainConnectionService.java:572)
at org.jboss.as.host.controller.RemoteDomainConnectionService.access$1100(RemoteDomainConnectionService.java:131)
at org.jboss.as.host.controller.RemoteDomainConnectionService$2.applyDomainModel(RemoteDomainConnectionService.java:515)
at org.jboss.as.host.controller.RemoteDomainConnection.applyDomainModel(RemoteDomainConnection.java:311)
at org.jboss.as.host.controller.RemoteDomainConnection$RegisterSubsystemsRequest$1.execute(RemoteDomainConnection.java:454)
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$ManagementRequestContextImpl$1.doExecute(AbstractMessageHandler.java:363)
at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:472)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
at org.jboss.as.server.services.security.RuntimeVaultReader.getValue(RuntimeVaultReader.java:146)
at org.jboss.as.server.services.security.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:126)
at org.jboss.as.server.services.security.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:116)
... 30 more
Caused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(Cipher.java:2161)
at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)
... 33 more
9/ I have read that we need to restart the domain controller because if we add vaults "on the fly", they are not loaded in memory: so I restart my domain controller
10/ Here, nothing works: my slave host configuration is gone (I can't do /host=<MY SLAVE HOST> anymore)
Thanks for your help.
Regards