6 Replies Latest reply on Oct 25, 2012 12:44 PM by yjma2001

    How to secure SSL keystore password at teiid jdbc

    yjma2001
    yjma2001 Oct 23, 2012 4:52 PM

      Hi:

       

      Failed to set up the ssl at teiid jdbc transport layer by using JBOSS vault to secure ssl keystore password:

       

      Here are my questions:

       

      (1) Does Teiid suport secure jdbc ssl keystore password via jboss VAULT?

      (2) If yes, what is the correct configuration?

      (3) Does teiid provide some ways to secure the ssl keystyore password at teiid jdbc/odbc transport?

       

       

      Here is the detail I did at my failure tests:

       

      At first, create my vault and ading folowing section into standalone-teiid.xmlt:

          <vault>

              <vault-option name="KEYSTORE_URL" value="c:\\vault\\vault.keystore"/>

              <vault-option name="KEYSTORE_PASSWORD" value="MASK-CGClE.QFRs1"/>

              <vault-option name="KEYSTORE_ALIAS" value="vault"/>

              <vault-option name="SALT" value="12345678"/>

              <vault-option name="ITERATION_COUNT" value="50"/>

              <vault-option name="ENC_FILE_DIR" value="c:\\vault\\"/>

          </vault>

       

      Here is the SSL definition for teiid JDBC tranport at standalone-teiid.xml

       

                  <transport name="jdbc" socket-binding="teiid-jdbc">

                      <ssl mode="enabled" keymanagement-algorithm="SunX509">

                          <keystore name="c:\\vault\\test.keystore" password="${VAULT::keystore_pw::PASSWORD::ZWQxMWNiMzktOThmNS00NWIyLWFjZTUtNmExYWFiNzUyOTk5TElORV9CUkVBS3ZhdWx0}"/>

                      </ssl>

                  </transport>

       

      Here is the error log:

      09:40:55,750 WARNING [org.jboss.netty.channel.socket.nio.NioServerSocketPipelineSink] (New I/O server boss #1 ([id: 0x00175b9a, /0.0.0.0:31050])) Failed to initialize an accepted socket.: java.io.IOException: Keystore was tampered with, or password was incorrect

      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771) [rt.jar:1.6.0_34]

      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) [rt.jar:1.6.0_34]

      at java.security.KeyStore.load(KeyStore.java:1185) [rt.jar:1.6.0_34]

      at org.teiid.net.socket.SocketUtil.loadKeyStore(SocketUtil.java:221) [teiid-client-8.2.0.Beta1.jar:8.2.0.Beta1]

      at org.teiid.net.socket.SocketUtil.getSSLContext(SocketUtil.java:171) [teiid-client-8.2.0.Beta1.jar:8.2.0.Beta1]

      at org.teiid.transport.SSLConfiguration.getServerSSLEngine(SSLConfiguration.java:76) [teiid-runtime-8.2.0.Beta1.jar:8.2.0.Beta1]

      at org.teiid.transport.SSLAwareChannelHandler.getPipeline(SSLAwareChannelHandler.java:228) [teiid-runtime-8.2.0.Beta1.jar:8.2.0.Beta1]

      at org.jboss.netty.channel.socket.nio.NioServerSocketPipelineSink$Boss.registerAcceptedChannel(NioServerSocketPipelineSink.java:276) [netty-3.2.6.Final.jar:]

      at org.jboss.netty.channel.socket.nio.NioServerSocketPipelineSink$Boss.run(NioServerSocketPipelineSink.java:246) [netty-3.2.6.Final.jar:]

      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_34]

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_34]

      at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_34]

      Caused by: java.security.UnrecoverableKeyException: Password verification failed

      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769) [rt.jar:1.6.0_34]

      ... 11 more

       

      In side the debug, it looks like teiid did not substitude password from the vault keystore at all. It uses password string "${VAULT::keystore_pw::PASSWORD::ZWQxMWNiMzktOThmNS00NWIyLWFjZTUtNmExYWFiNzUyOTk5TElORV9CUkVBS3ZhdWx0}" to access keystore directly.

       

       

      Thanks

      Jack

      • 1717 Views
      • Tags: