lucas theisen created NIFI-11015:
------------------------------------
Summary: registry ApplicationServerConnectorFactory uses
NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE instead of
NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE for buildTrustStore
Key: NIFI-11015
URL: https://issues.apache.org/jira/browse/NIFI-11015
Project: Apache NiFi
Issue Type: Improvement
Affects Versions: 1.19.1
Reporter: lucas theisen
Our server has been configured to use PKCS12 for the keystore and JKS for the
truststore, but when we attempted to upgrade (from 1.16 to 1.19.1) the registry
fails to start with:
{code}
2022-12-28 15:33:01,442 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut 2022-12-28 15:33:01,442 INFO [main]
org.eclipse.jetty.util.log Logging initialized @632ms to
org.eclipse.jetty.util.log.Slf4jLog
2022-12-28 15:33:01,533 ERROR [NiFi logging handler]
org.apache.nifi.registry.StdErr Failed to start web server: Key Store loading
failed
2022-12-28 15:33:01,533 ERROR [NiFi logging handler]
org.apache.nifi.registry.StdErr Shutting down...
2022-12-28 15:33:01,534 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut 2022-12-28 15:33:01,534 WARN [main]
o.apache.nifi.registry.jetty.JettyServer Failed to start web server... shutting
down.
2022-12-28 15:33:01,534 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut
org.apache.nifi.security.ssl.BuilderConfigurationException: Key Store loading
failed
2022-12-28 15:33:01,534 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.security.ssl.StandardKeyStoreBuilder.build(StandardKeyStoreBuilder.java:56)
2022-12-28 15:33:01,534 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildStore(ApplicationServerConnectorFactory.java:181)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildTrustStore(ApplicationServerConnectorFactory.java:167)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.buildSslContext(ApplicationServerConnectorFactory.java:141)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.connector.ApplicationServerConnectorFactory.<init>(ApplicationServerConnectorFactory.java:74)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.JettyServer.configureConnectors(JettyServer.java:150)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.jetty.JettyServer.<init>(JettyServer.java:101)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:114)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:168)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut Caused by: java.io.IOException:
DerInputStream.getLength(): lengthTag=109, too big.
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
sun.security.util.DerInputStream.getLength(DerInputStream.java:588)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
sun.security.util.DerValue.init(DerValue.java:412)
2022-12-28 15:33:01,535 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
sun.security.util.DerValue.<init>(DerValue.java:353)
2022-12-28 15:33:01,545 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
sun.security.util.DerValue.<init>(DerValue.java:366)
2022-12-28 15:33:01,545 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1946)
2022-12-28 15:33:01,545 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
java.security.KeyStore.load(KeyStore.java:1445)
2022-12-28 15:33:01,545 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut at
org.apache.nifi.security.ssl.StandardKeyStoreBuilder.build(StandardKeyStoreBuilder.java:54)
2022-12-28 15:33:01,545 INFO [NiFi logging handler]
org.apache.nifi.registry.StdOut ... 8 common frames omitted
{code}
A quick check of the source shows the use of
[{{NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE}} instead of
{{NiFiRegistryProperties.SECURITY_TRUSTSTORE_TYPE}}|https://github.com/apache/nifi/blob/rel/nifi-1.19.1/nifi-registry/nifi-registry-core/nifi-registry-jetty/src/main/java/org/apache/nifi/registry/jetty/connector/ApplicationServerConnectorFactory.java#L165]:
{code}
private KeyStore buildTrustStore(final NiFiRegistryProperties properties) {
final String trustStore = getRequiredProperty(properties,
NiFiRegistryProperties.SECURITY_TRUSTSTORE);
final String trustStoreType = getRequiredProperty(properties,
NiFiRegistryProperties.SECURITY_KEYSTORE_TYPE);
final String trustStorePassword = getRequiredProperty(properties,
NiFiRegistryProperties.SECURITY_TRUSTSTORE_PASSWD);
return buildStore(trustStore, trustStoreType, trustStorePassword);
}
{code}
This means that to workaround this in the current code we will need to use the
same keystore type for both the keystore and the trust store and use the
{{nifi.registry.security.keystoreType}} to configure that type.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
