[
https://issues.apache.org/jira/browse/NIFI-2930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard resolved NIFI-2930.
----------------------------------
Resolution: Feedback Received
Apache NiFi 1.x is no longer maintained and no new release is planned on the
1.x release line. Marking as resolved as part of a cleanup operation. Please
open a new one with an updated description if this is still relevant for NiFi
2.x.
> SSLContextFactory throws Exception when Keystore password differs from Key
> password
> -----------------------------------------------------------------------------------
>
> Key: NIFI-2930
> URL: https://issues.apache.org/jira/browse/NIFI-2930
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Yolanda M. Davis
> Priority: Major
>
> The SSLContextFactory class currently does not retrieve both key password and
> keystore password (only the keystore password is retrieved). The keystore
> password value in that class is used to load the keystore as well as
> initialize the KeyManagerFactory. However the KeyManagerFactory appears to
> expect the key password. If the key password has a different value from the
> keystore password, then the following exception occurs:
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
> ~[na:1.8.0_77]
> at
> sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
> ~[na:1.8.0_77]
> at
> sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
> ~[na:1.8.0_77]
> at
> sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
> ~[na:1.8.0_77]
> at
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
> ~[na:1.8.0_77]
> at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_77]
> at
> sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
> ~[na:1.8.0_77]
> at
> sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
> ~[na:1.8.0_77]
> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
> ~[na:1.8.0_77]
> at
> org.apache.nifi.io.socket.SSLContextFactory.<init>(SSLContextFactory.java:69)
> ~[nifi-socket-utils-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
> at
> org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:45)
> ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
> at
> org.apache.nifi.cluster.protocol.spring.ServerSocketConfigurationFactoryBean.getObject(ServerSocketConfigurationFactoryBean.java:30)
> ~[nifi-framework-cluster-protocol-1.0.0.2.0.0.0-579.jar:1.0.0.2.0.0.0-579]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
>
> I believe the fix is to also retrieve the key password from nifi properties
> and provide that value when initializing the KeyManagerFactory.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
