0 Replies Latest reply on Jan 6, 2020 4:44 AM by Abhishek Goyal

    Wildfly server is not getting started after configure vault for masking the keystore password.

    Abhishek Goyal Newbie

      HI all

       

      I am facing and issue while stating the server i am facing the below issue . i am using jdk version 221 and wildfly 17.

      also i check in the module.xml file dependency is there.

       

      08:21:14,493 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("core-service" => "vault")]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0076: Error initializing vault --  org.jboss.security.vault.SecurityVaultException: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

              at org.jboss.as.server.services.security.VaultReaderImpl.createVault(RuntimeVaultReader.java:159)

              at org.jboss.as.server.services.security.RuntimeVaultReader.createVault(RuntimeVaultReader.java:100)

              at org.jboss.as.server.services.security.VaultAddHandler.performRuntime(VaultAddHandler.java:82)

              at org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:338)

              at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)

              at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)

              at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)

              at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)

              at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1412)

              at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:521)

              at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:472)

              at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:434)

              at org.jboss.as.server.ServerService.boot(ServerService.java:435)

              at org.jboss.as.server.ServerService.boot(ServerService.java:394)

              at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:374)

              at java.lang.Thread.run(Thread.java:748)

      Caused by: org.jboss.security.vault.SecurityVaultException: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

              at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)

              at org.jboss.as.server.services.security.VaultReaderImpl.createVault(RuntimeVaultReader.java:157)

              ... 15 more

      Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

              at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)

              at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)

              at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)

              at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:423)

              at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)

              at javax.crypto.Cipher.doFinal(Cipher.java:2164)

              at org.jboss.security.plugins.PBEUtils.decode(PBEUtils.java:73)

              at org.jboss.security.plugins.PBEUtils.decode64(PBEUtils.java:90)

              at org.picketbox.plugins.vault.PicketBoxSecurityVault.decode(PicketBoxSecurityVault.java:362)

              at org.picketbox.plugins.vault.PicketBoxSecurityVault.loadKeystorePassword(PicketBoxSecurityVault.java:339)

              at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:204)

              ... 16 more

       

       

      08:21:14,500 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.

       

      bewolw is my standalone.xml file content http://

       

      <server xmlns="urn:jboss:domain:10.0">

          <extensions>

              <extension module="org.jboss.as.deployment-scanner"/>

              <extension module="org.jboss.as.ee"/>

              <extension module="org.jboss.as.jmx"/>

              <extension module="org.jboss.as.logging"/>

              <extension module="org.jboss.as.naming"/>

              <extension module="org.jboss.as.sar"/>

              <extension module="org.jboss.as.security"/>

              <extension module="org.wildfly.extension.core-management"/>

              <extension module="org.wildfly.extension.elytron"/>

              <extension module="org.wildfly.extension.io"/>

              <extension module="org.wildfly.extension.request-controller"/>

              <extension module="org.wildfly.extension.security.manager"/>

              <extension module="org.wildfly.extension.undertow"/>

          </extensions>

          <system-properties>

              <property name="org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING" value="false"/>

          </system-properties>

      <vault>

            <vault-option name="KEYSTORE_URL" value="/opt/keystore/vault.jks"/>

            <vault-option name="KEYSTORE_PASSWORD" value="MASK-1tqdrgVYYq3"/>

            <vault-option name="KEYSTORE_ALIAS" value="vault"/>

            <vault-option name="SALT" value="12438567"/>

            <vault-option name="ITERATION_COUNT" value="50"/>

            <vault-option name="ENC_FILE_DIR" value="/opt/keystore/"/>

          </vault>

          <management>

              <security-realms>

                  <security-realm name="ManagementRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="/opt/keystore/vault.jks" keystore-password="${VAULT::testing::Ivr@123::1}" key-password="${VAULT::Ivr@123::password::1}"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <local default-user="$local" skip-group-loading="true"/>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                      <authorization map-groups-to-roles="false">

                          <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>

                      </authorization>

                  </security-realm>

              </security-realms>

       

      **********************************

      ****  JBoss Vault  ***************

      **********************************

      Please enter a Digit::   0: Start Interactive Session   1: Remove Interactive Session  2: Exit

      0

      Starting an interactive session

      Enter directory to store encrypted files: /opt/keystore

      Enter Keystore URL: /opt/keystore/vault.jks

      Enter Keystore password:

      Enter Keystore password again:

      Values match

      Enter 8 character salt: 12345678

      Enter iteration count as a number (e.g.: 44): 50

      Enter Keystore Alias: vault

      WFLYSEC0056: Initializing Vault

      Jan 06, 2020 8:09:15 AM org.picketbox.plugins.vault.PicketBoxSecurityVault init

      INFO: PBOX00361: Default Security Vault Implementation Initialized and Ready

      WFLYSEC0048: Vault Configuration commands in WildFly for CLI:

      ********************************************

      For standalone mode:

      /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/opt/keystore/vault.jks"),("KEYSTORE_PASSWORD" => "MASK-1tqdrgVYYq3"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "50"),("ENC_FILE_DIR" => "/opt/keystore/")])

      ********************************************

      For domain mode:

      /host=the_host/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/opt/keystore/vault.jks"),("KEYSTORE_PASSWORD" => "MASK-1tqdrgVYYq3"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "12345678"),("ITERATION_COUNT" => "50"),("ENC_FILE_DIR" => "/opt/keystore/")])

      ********************************************

      WFLYSEC0057: Vault is initialized and ready for use

      WFLYSEC0058: Handshake with Vault complete

      Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

      0

      Task: Store a secured attribute

      Please enter secured attribute value (such as password)

      Please enter secured attribute value again

      Values match

      Enter Vault Block:testing

      Enter Attribute Name:Ivr@123

      WFLYSEC0047: Secured attribute value has been stored in Vault.

      Please make note of the following:

      ********************************************

      Vault Block:testing

      Attribute Name:Ivr@123

      Configuration should be done as follows:

      VAULT::testing::Ivr@123::1

      ********************************************

      Please enter a Digit::  0: Store a secured attribute  1: Check whether a secured attribute exists  2: Remove secured attribute  3: Exit

      3