Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11821

Alias from dependent credential store is not avalaible on server start

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 7.1.0.ER1
    • Fix Version/s: 7.1.0.CR1
    • Component/s: Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git
      cd tests-security/fips
      
      ./build-fips.sh clean test   -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository   -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip   -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore=true -Dtest=ExternalCsTestCase -DtestLogToFile=false
      

      To prepare maven.repo.local

      wget http://download-ipv4.eng.brq.redhat.com/devel/candidates/JBEAP/JBEAP-7.1.0-ER2.2/jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip
      
      unzip jboss-eap-7.1.0.ER2.2-maven-repository.zip
      unzip jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip
      
      cp -r -v eap-local-maven-repository jboss-eap-7.1.0.GA-maven-repository/maven-repository/
      
      Show
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-security.git cd tests-security/fips ./build-fips.sh clean test -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip -Dfips.java.home=/usr/java/jdk1.8.0_66_fips_mode/jre -fae -Dmaven.test.failure.ignore= true -Dtest=ExternalCsTestCase -DtestLogToFile= false To prepare maven.repo.local wget http: //download-ipv4.eng.brq.redhat.com/devel/candidates/JBEAP/JBEAP-7.1.0-ER2.2/jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip unzip jboss-eap-7.1.0.ER2.2-maven-repository.zip unzip jboss-eap-7.1.0.ER2.2-testsuite-local-repository.zip cp -r -v eap-local-maven-repository jboss-eap-7.1.0.GA-maven-repository/maven-repository/

      Description

      Testing BouncyCastle external store. Intermittently (25% in lab, 0% locally) it happens alias from dependent credential store is not avalaible on server start.

      15:17:33,317 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.credential-store.fips-credential-store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.fips-credential-store: WFLYELY00004: Unable to start the service.
      	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:134)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:921)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:930)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:821)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:213)
      	at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:159)
      	at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:126)
      	... 5 more
      Caused by: java.security.KeyStoreException: BCFKS not found
      	at java.security.KeyStore.getInstance(KeyStore.java:851)
      	at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:919)
      	... 10 more
      Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
      	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
      	at java.security.Security.getImpl(Security.java:695)
      	at java.security.KeyStore.getInstance(KeyStore.java:848)
      	... 11 more
      

      Could that be problem of "late" required service start?

      Although, I don't see similar problem with default JKES credential store, neither PKCS11 external credential store. PKCS11 store is however special case, because is loaded once per jvm.

      Could that be problem of external credential store with file based keystore?

      [1] https://jenkins.hosts.mwqe.eng.bos.redhat.com/hudson/view/EAP7/view/EAP7-Security/view/EAP-7.x-FIPS-mode/job/eap-7x-security-fips-matrix/163/testReport/

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: