-
Bug
-
Resolution: Done
-
High
-
Guilin Release
karaf.log shows the following error when SDNC starts:
2020-09-30T12:41:20,680 | ERROR | features-3-thread-1 | HttpServiceStarted | 408 - org.ops4j.pax.web.pax-web-runtime - 7.2.10 | - | Could not start the servlet context for context path []
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[?:?]
at java.security.KeyStore.load(Unknown Source) ~[?:?]
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54) ~[?:?]
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1194) ~[?:?]
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:334) ~[?:?]
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:256) ~[?:?]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[?:?]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:167) ~[?:?]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:119) ~[?:?]
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94) ~[?:?]
.
.
.
at java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 53 more
Probably, this commit has caused the problem:
https://gerrit.onap.org/r/c/sdnc/oam/+/105729
The certs have been updated in this commit, but the password for keystore (org.onap.sdnc.p12) was not updated in the pom file (installation/sdnc/pom.xml) which contains this entry:
<sdnc.keypass><![CDATA[ff^G9D][yf&r}Ktum@BJ0YB?N]]></sdnc.keypass>
Tried to list the keys in both old keystore and the updated keystore in above commit. The old one works with this password, but the new one does not work:
OLD:
keytool -v -list -keystore org.onap.sdnc_old-b4795c3241968668957a57b0dca331a6.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: sdnc@sdnc.onap.org
Creation date: 26 Apr 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: C=US, O=ONAP, OU=OSAAF, OU=sdnc@sdnc.onap.org, EMAILADDRESS=, CN=ccsdk-sdnc-heat-dev
Issuer: CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
Serial number: 7c3405254e2a8851
Valid from: Fri Apr 26 19:48:01 CEST 2019 until: Sun Apr 26 19:48:01 CEST 2020
Certificate fingerprints:
SHA1: 5D:9D:2C:3A:37:C3:86:73:65:55:91:29:74:8F:EA:D9:8F:C0:88:BB
SHA256: C4:41:12:76:EA:4B:46:52:DE:88:91:2A:8E:71:FD:2F:16:3C:5E:00:97:28:70:A0:9B:A9:EE:B1:2D:7D:22:93
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
NEW:
keytool -v -list -keystore org.onap.sdnc_new-1814b26af102bcb8d7f5f31d6489e8ea.p12
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2108)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1050)
at java.base/sun.security.tools.keytool.Main.run(Main.java:397)
at java.base/sun.security.tools.keytool.Main.main(Main.java:390)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 6 more
- relates to
-
CCSDK-2827 SDNC does not support https on northbound restconf in docker env
- Closed