Andy LoPresto created NIFI-3062:
-----------------------------------
Summary: Provide better error message on startup if invalid length
keystore password used in conjunction with PKCS12 keystore
Key: NIFI-3062
URL: https://issues.apache.org/jira/browse/NIFI-3062
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework, Tools and Build
Affects Versions: 1.0.0
Reporter: Andy LoPresto
[~scottyaslan] discovered an edge case introduced in [NIFI-2943] -- on a system
without the JCE unlimited strength cryptographic jurisdiction policies
installed, a PKCS12 keystore with a password longer than 7 characters will fail
at start-up. Though this issue is captured when using the TLS Toolkit to
generate a keystore (or a client certificate, which is stored in a PKCS12
keystore in order to include the private key), a user could have manually
generated a PKCS12 keystore with a password longer than 7 characters using
{{openssl}} but will not be able to use it in NiFi without installing the JCE
USC policies.
Example output from TLS toolkit in 128-bit mode:
{code}
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 76s @ 19:48:16 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
2016/11/17 19:48:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
nifiPropertiesFile specified, using embedded one.
2016/11/17 19:48:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
2016/11/17 19:48:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA
certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
2016/11/17 19:48:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames
specified, not generating any host certificates or configuration.
2016/11/17 19:48:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
WARNING!!!!
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Unlimited JCE Policy is not installed which means we cannot utilize a
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
PKCS12 password longer than 7 characters.
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Autogenerated password has been reduced to 7 characters.
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Please strongly consider installing Unlimited JCE Policy at
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
Another alternative is to add a stronger password with the openssl tool to the
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out
'/tmp/CN=test.p12'
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
openssl pkcs12 -export -in '/tmp/CN=test.p12' -out
'../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: rm
-f '/tmp/CN=test.p12'
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
**********************************************************************************
2016/11/17 19:48:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 19:48:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 28s @ 19:48:45 $
{code}
Example output from TLS toolkit in 256-bit mode:
{code}
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔒 320s @ 19:55:16 $ jce_unlimited
Enabling JCE unlimited strength crypto policy
/Users/alopresto/Desktop/security/unlimited/US_export_policy.jar ->
/Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./US_export_policy.jar
/Users/alopresto/Desktop/security/unlimited/local_policy.jar ->
/Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./local_policy.jar
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔓 235s @ 19:59:12 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
2016/11/17 19:59:38 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
nifiPropertiesFile specified, using embedded one.
2016/11/17 19:59:38 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT
2016/11/17 19:59:38 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA
certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
2016/11/17 19:59:38 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames
specified, not generating any host certificates or configuration.
2016/11/17 19:59:38 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 19:59:39 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
2016/11/17 19:59:39 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
(master) alopresto
🔓 4s @ 19:59:40 $
{code}
If the application is started in 128-bit mode with the {{keystore.p12}} using a
keystore password >= 8 characters, the following error will be printed in
{{$NIFI_HOME/logs/nifi-app.log}}:
{code}
org.apache.nifi.web.NiFiCoreException: Unable to start Flow Controller.
at
org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93)
~[na:na]
at
org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:837)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:533)
~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:810)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345)
~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404)
~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366)
~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520)
~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:231)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at org.eclipse.jetty.server.Server.start(Server.java:411)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at org.eclipse.jetty.server.Server.doStart(Server.java:378)
[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675)
[nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at org.apache.nifi.NiFi.<init>(NiFi.java:156)
[nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at org.apache.nifi.NiFi.main(NiFi.java:262)
[nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
Caused by: org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowService': FactoryBean threw exception on object
creation; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'flowController': FactoryBean threw exception on object creation;
nested exception is
org.apache.nifi.framework.security.util.SslContextCreationException:
java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:52)
~[na:na]
... 28 common frames omitted
Caused by: org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowController': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.framework.security.util.SslContextCreationException:
java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at
org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48)
~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
... 34 common frames omitted
Caused by: org.apache.nifi.framework.security.util.SslContextCreationException:
java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
at
org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:106)
~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.apache.nifi.controller.FlowController.<init>(FlowController.java:440)
~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375)
~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74)
~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at
org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
... 41 common frames omitted
Caused by: java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
at
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown
Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
at
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
at
org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:86)
~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
... 45 common frames omitted
2016-11-17 18:35:17,830 INFO [main] /nifi-content-viewer No Spring
WebApplicationInitializer types detected on classpath
2016-11-17 18:35:17,833 INFO [main] o.e.jetty.server.handler.ContextHandler
Started
o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-content-viewer-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:17,836 INFO [main] o.e.jetty.server.handler.ContextHandler
Started o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,AVAILABLE}
2016-11-17 18:35:17,907 INFO [main] /nifi-docs No Spring
WebApplicationInitializer types detected on classpath
2016-11-17 18:35:17,909 INFO [main] o.e.jetty.server.handler.ContextHandler
Started
o.e.j.w.WebAppContext@7585531b{/nifi-docs,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-docs-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:17,969 INFO [main] / No Spring WebApplicationInitializer types
detected on classpath
2016-11-17 18:35:17,972 INFO [main] o.e.jetty.server.handler.ContextHandler
Started
o.e.j.w.WebAppContext@6fb8cfa7{/,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-error-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:17,990 WARN [main] org.apache.nifi.web.server.JettyServer
Failed to start web server... shutting down.
java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
at
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown
Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
at
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
at
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1027)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:333)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at org.eclipse.jetty.server.Server.doStart(Server.java:390)
~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675)
~[nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at org.apache.nifi.NiFi.<init>(NiFi.java:156)
[nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
at org.apache.nifi.NiFi.main(NiFi.java:262)
[nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
2016-11-17 18:35:17,991 INFO [Thread-1] org.apache.nifi.NiFi Initiating
shutdown of Jetty web server...
2016-11-17 18:35:17,996 INFO [Thread-1]
o.eclipse.jetty.server.AbstractConnector Stopped
ServerConnector@464f12de{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2016-11-17 18:35:18,003 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@6fb8cfa7{/,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@7585531b{/nifi-docs,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,UNAVAILABLE}
2016-11-17 18:35:18,010 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,011 INFO [Thread-1]
o.a.n.w.c.ApplicationStartupContextListener Initiating shutdown of flow
service...
2016-11-17 18:35:18,018 WARN [Thread-1]
o.a.n.w.c.ApplicationStartupContextListener Problem occurred ensuring flow
controller or repository was properly terminated due to
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'flowService': FactoryBean threw exception on object creation; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'flowController': FactoryBean threw exception on object
creation; nested exception is
org.apache.nifi.framework.security.util.SslContextCreationException:
java.io.IOException: exception decrypting data -
java.security.InvalidKeyException: Illegal key size
2016-11-17 18:35:18,018 INFO [Thread-1] /nifi-api Closing Spring root
WebApplicationContext
2016-11-17 18:35:18,075 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@814b60b{/nifi-api,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-api-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,206 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@5112b7{/nifi,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-ui-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,213 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@4fd80300{/nifi-update-attribute-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-update-attribute-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-update-attribute-ui-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,218 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@4baf997{/nifi-standard-content-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-standard-content-viewer-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,236 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@750cd36d{/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,239 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler
Stopped
o.e.j.w.WebAppContext@3a0896b3{/nifi-image-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-media-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-image-viewer-1.1.0-SNAPSHOT.war}
2016-11-17 18:35:18,241 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server
shutdown completed (nicely or otherwise).
{code}
We should catch the illegal key size exception and print a more helpful error
message, as the toolkit does. We should also investigate if the recent change
affected prior behavior by changing how BouncyCastle was used to handle
keystores. Most users use JKS keystores, but some choose PKCS12. PKCS12 should
be discouraged as a format for keystores and truststores in NiFi as it is
overly complex and unnecessary.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
