Invalid secret key format when accessing to a vault / ObjectInputFilter REJECTED when trying to create vault in JBoss EAP

Solution Verified - Updated -

Issue

  • EAP and vault.sh script throw the following exception:

    java.lang.Exception: WFLYSEC0045: Exception encountered:
        at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
        at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
        at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
        at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.modules.Module.run(Module.java:335)
        at org.jboss.modules.Main.main(Main.java:505)
    Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
        at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
        ... 9 more
    Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
        ... 10 more
    Caused by: java.io.IOException: Invalid secret key format
        at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
        at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
        ... 11 more
    
  • We are seeing ObjectInputFilter REJECTED error when trying to create a vault:

    WFLYSEC0056: Initializing Vault
    May 01, 2018 11:13:49 AM java.io.ObjectInputStream filterCheck
    INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 1, depth: 1, bytes: 70, ex: n/a
    WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:
    
  • EAP 6.2.x gives a NullPointerException with following stacktrace:

    Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.NullPointerException
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:192)
           at org.jboss.as.security.vault.RuntimeVaultReader.createVault(RuntimeVaultReader.java:82) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
           ... 11 more
     Caused by: java.lang.NullPointerException
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.checkAndConvertKeyStoreToJCEKS(PicketBoxSecurityVault.java:527)
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:189)
           ... 12 more
    
  • JBoss doesn't start using OpenJDK from zulu because it can't find the vault file. We didn't change the location of the vault file.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6
    • 7
  • Red Hat JBoss Data Grid
    • 7.1.2
  • JDK that has included non-public JDK-8189997 including:
    • JDK 1.8.0_171+ (OpenJDK or Oracle JDK)
    • JDK 1.7.0_181+ (OpenJDK or Oracle JDK)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In