Configuring JBoss to use Password Vault - error: PBOX00140: Unable to get keystore

Posted on

Hi
I have a DEV env with JBoss EAP 7.3.3 on RHEL 7.5.
I am following Solution Doc: 2790371 Encrypting passwords in JBoss EAP 6/7 configuration files using the Vault

I created a directory to store the keystore and ran the following command:
$JAVA_HOME/bin/keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass pwdxxx -keypass pwdxxx -validity 730 -keystore $EAP_HOME/vault/vault.keystore

Please note: This is NOT OpenJDK

I then initialised the vault sore with:
./vault.sh --keystore $EAP_HOME/vault/vault.keystore --keystore-password pwdxxx --alias vault --vault-block vb --attribute password --sec-attr pwdxxx --enc-dir $EAP_HOME/vault/ --iteration 120 --salt pwdxxx

I receive the following success message:
Dec 01, 2020 10:49:26 AM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: PBOX00361: Default Security Vault Implementation Initialized and Ready
WFLYSEC0047: Secured attribute value has been stored in Vault.

I'm using domain mode so I ran the following from the management-cli in an attempt to make JBoss aware of the vault:
/host=master/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/u01/redhat/jboss/EAP-7.3.0/vault/vault.keystore"),("KEYSTORE_PASSWORD" => "MASK-2CcDM56oM3XEJT.Q/IaCiq"),("KEYSTORE_ALIAS" => "vault"),("SALT" => "pwd123"),("ITERATION_COUNT" => "120"),("ENC_FILE_DIR" => "/u01/redhat/jboss/EAP-7.3.0/vault/")])

At which point I receive the following error:
{
"outcome" => "failed",
"result" => {},
"failure-description" => {"host-failure-descriptions" => {"master" => "WFLYCTL0158: Operation handler failed: org.jboss.as.server.services.security.Vault
ReaderException: WFLYSRV0076: Error initializing vault -- org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to
get keystore (/u01/redhat/jboss/EAP-7.3.0/vault/vault.keystore)"}},
"rolled-back" => true
}

I have checked for previous experiences of this error, most of which centre around the problem being either:
1. Not specifying the storetype as jceks (see solution doc: 3403311). As you can see above I did specify sttoretype as jceks
2. Add to modules/system/layers/base/org/picketbox/main/modules.xml
This entry exists.

In the host-controller.log the message is:
2020-12-01 10:55:13,257 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
("host" => "master"),
("core-service" => "vault")
]): org.jboss.as.server.services.security.VaultReaderException: WFLYSRV0076: Error initializing vault -- org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/u01/redhat/jboss/EAP-7.3.0/vault/vault.keystore)
...
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/u01/redhat/jboss/EAP-7.3.0/vault/vault.keystore)
at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
at org.jboss.as.server.services.security.VaultReaderImpl.createVault(RuntimeVaultReader.java:157)
...
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/u01/redhat/jboss/EAP-7.3.0/vault/vault.keystore)
...
Caused by: java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector

Appreciate any suggestions that mat help me.

Regards

Andy