Hi all I'm trying to secure my nifi registry.
So i've created a keystore and a trustore, added to the keystore a private key entry, and configured my nifi-registry docker container to use that keystore/truststore. I can get the key pair in my keystore using keytool, both on my machine and in docker container. But when I start nifi-registry, I always get nifi-registry_1 | java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. nifi-registry_1 | at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:435) ~[na:1.8.0_212] nifi-registry_1 | at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_212] nifi-registry_1 | at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_212] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1113) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:309) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:229) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:279) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.server.Server.doStart(Server.java:398) ~[jetty-server-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.4.11.v20180605.jar:9.4.11.v20180605] nifi-registry_1 | at org.apache.nifi.registry.jetty.JettyServer.start(JettyServer.java:423) ~[nifi-registry-jetty-0.4.0.jar:0.4.0] nifi-registry_1 | at org.apache.nifi.registry.NiFiRegistry.<init>(NiFiRegistry.java:117) [nifi-registry-runtime-0.4.0.jar:0.4.0] nifi-registry_1 | at org.apache.nifi.registry.NiFiRegistry.main(NiFiRegistry.java:164) [nifi-registry-runtime-0.4.0.jar:0.4.0] nifi-registry_1 | Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. nifi-registry_1 | at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:405) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:437) ~[sunjce_provider.jar:1.8.0_212] nifi-registry_1 | at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[na:1.8.0_212] nifi-registry_1 | at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:371) ~[na:1.8.0_212] nifi-registry_1 | ... 23 common frames omitted What puzzles me is that I have successfully configured my nifi runner using exactly the same kind if configuration. Is there something I'm doing wrong ? How can i investigate that kind of problem ? Thanks
