Encrypt Keystore password in server.xml 8.0.45

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Encrypt Keystore password in server.xml 8.0.45

S Abirami

Hi All,

  I have to encrypt keystore password in server.xml. For decrypting ,I have inherited the class Http11Nio2Protocol[Http11Nio2ProtocolDecryptProp extends Http11Nio2Protocol] and decrypted in setKeyStorePass overridden method then set that to endpoint keystorePass and super class setKeyStorePass .I could see the encryption happened successfully. But I am getting following error and server is not opening

@Override
       public void setKeystorePass(String s)
       {      try    {
                     System.out.println( "This method called" + s );
                     byte[] encrypted = s.getBytes();
                     byte[] data = OpenSSL.decrypt( "aes-256-cbc", key, encrypted );
                     super.setKeystorePass( new String( data, "UTF-8" ) );
              super.endpoint.setKeystorePass( new String( data, "UTF-8" ) );


              }

Please share your input

Sep 11, 2017 10:51:16 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio2-2309"]
java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
       at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:313)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:581)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:604)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 26 more

Sep 11, 2017 10:51:16 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Encrypt Keystore password in server.xml 8.0.45

S Abirami
Hi All,

  I have to encrypt keystore password in server.xml. For decrypting ,I have inherited the class Http11Nio2Protocol[Http11Nio2ProtocolDecryptProp extends Http11Nio2Protocol] and decrypted in setKeyStorePass overridden method then set that to endpoint keystorePass and super class setKeyStorePass .I could see the encryption happened successfully. But I am getting following error and server is not opening

@Override
       public void setKeystorePass(String s)
       {      try    {
                     System.out.println( "This method called" + s );
                     byte[] encrypted = s.getBytes();
                     byte[] data = OpenSSL.decrypt( "aes-256-cbc", key, encrypted );
                     super.setKeystorePass( new String( data, "UTF-8" ) );
              super.endpoint.setKeystorePass( new String( data, "UTF-8" ) );


              }

Please share your input

Sep 11, 2017 10:51:16 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio2-2309"]
java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
       at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:313)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:581)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:604)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 26 more

Sep 11, 2017 10:51:16 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Encrypt Keystore password in server.xml 8.0.45

S Abirami
In reply to this post by S Abirami

Hi All,

  I have to encrypt keystore password in server.xml. For decrypting ,I have inherited the class Http11Nio2Protocol[Http11Nio2ProtocolDecryptProp extends Http11Nio2Protocol] and decrypted in setKeyStorePass overridden method then set that to endpoint keystorePass and super class setKeyStorePass .I could see the encryption happened successfully. But I am getting following error and server is not opening

@Override
       public void setKeystorePass(String s)
       {      try    {
                     System.out.println( "This method called" + s );
                     byte[] encrypted = s.getBytes();
                     byte[] data = OpenSSL.decrypt( "aes-256-cbc", key, encrypted );
                     super.setKeystorePass( new String( data, "UTF-8" ) );
              super.endpoint.setKeystorePass( new String( data, "UTF-8" ) );


              }

Please share your input

Sep 11, 2017 10:51:16 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio2-2309"]
java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
       at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:313)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:581)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:604)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 26 more

Sep 11, 2017 10:51:16 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Encrypt Keystore password in server.xml 8.0.45

Mark Thomas-2
In reply to this post by S Abirami
On 11/09/17 10:11, S Abirami wrote:
>
> Hi All,
>
>   I have to encrypt keystore password in server.xml.

https://wiki.apache.org/tomcat/FAQ/Password

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Encrypt Keystore password in server.xml 8.0.45

S Abirami
Hi Thomas,

I have encrypted the keystore password using openssl and hardcoded in server.xml.
For decrypting , Http11Nio2ProtocolDecryptProp extends Http11Nio2Protocol]  and mentioned as below in server.xml

<Connector protocol="com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp"

Decryption is successful even though I am getting the following error and web app is not up.

I tried a toy program that is working fine. I feel that something missed. Could you please help me here

Sep 11, 2017 10:51:16 AM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio2-2309"]
java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
       at java.security.KeyStore.load(KeyStore.java:1445)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
        at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:313)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:810)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:476)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:581)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:604)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 26 more

Sep 11, 2017 10:51:16 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp-2309]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:871)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)



-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Monday, September 11, 2017 4:03 PM
To: Tomcat Users List
Subject: Re: Encrypt Keystore password in server.xml 8.0.45

On 11/09/17 10:11, S Abirami wrote:
>
> Hi All,
>
>   I have to encrypt keystore password in server.xml.

https://wiki.apache.org/tomcat/FAQ/Password

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Encrypt Keystore password in server.xml 8.0.45

S Abirami
In reply to this post by Mark Thomas-2
Hi Mark,

I followed the below steps as you stated

https://wiki.apache.org/tomcat/FAQ/Password

still getting the same exception in log. Here also  property ${keystore.password} decrypted successfully from encrypted password saved in catalina.properties.
 but it is giving the same exception and server not started .I have attached the exception for your consideration

connector tag as below

<Connector  port="2309" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/tomcat/ /certification/keystore" keystorePass="${keystore.password}"  clientAuth="false" maxHttpHeaderSize="8192" server="oamServer" xpoweredBy="false"  sslProtocol="TLS"/>

Setenv.sh
  Export CATALINA_OPTS=-Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=< CLASS_NAME  which  implements IntrospectionUtils.PropertySource >

Catalina.properties
 
Keystore.password=<EncryptedPassword>

Please share your input.


Regards,
Abirami.S

-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Monday, September 11, 2017 4:03 PM
To: Tomcat Users List
Subject: Re: Encrypt Keystore password in server.xml 8.0.45

On 11/09/17 10:11, S Abirami wrote:
>
> Hi All,
>
>   I have to encrypt keystore password in server.xml.

https://wiki.apache.org/tomcat/FAQ/Password

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

error.txt (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Encrypt Keystore password in server.xml 8.0.45

Mark Thomas-2
On 11/09/17 18:45, S Abirami wrote:
> Hi Mark,
>
> I followed the below steps as you stated
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
> still getting the same exception in log. Here also  property ${keystore.password} decrypted successfully from encrypted password saved in catalina.properties.

The error message seems pretty clear:

"Keystore was tampered with, or password was incorrect"

I suspect it is the second option.

Mark



>  but it is giving the same exception and server not started .I have attached the exception for your consideration
>
> connector tag as below
>
> <Connector  port="2309" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/tomcat/ /certification/keystore" keystorePass="${keystore.password}"  clientAuth="false" maxHttpHeaderSize="8192" server="oamServer" xpoweredBy="false"  sslProtocol="TLS"/>
>
> Setenv.sh
>   Export CATALINA_OPTS=-Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=< CLASS_NAME  which  implements IntrospectionUtils.PropertySource >
>
> Catalina.properties
>  
> Keystore.password=<EncryptedPassword>
>
> Please share your input.
>
>
> Regards,
> Abirami.S
>
> -----Original Message-----
> From: Mark Thomas [mailto:[hidden email]]
> Sent: Monday, September 11, 2017 4:03 PM
> To: Tomcat Users List
> Subject: Re: Encrypt Keystore password in server.xml 8.0.45
>
> On 11/09/17 10:11, S Abirami wrote:
>>
>> Hi All,
>>
>>   I have to encrypt keystore password in server.xml.
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]