Getting Invalid secret key format when starts up the server or accessing to a vault in JBoss EAP

Solution Verified - Updated 2019-08-13T19:48:43+00:00 -

Issue

EAP and vault.sh script throw the following exception:

java.lang.Exception: WFLYSEC0045: Exception encountered:
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
    at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
    at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
    at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.modules.Module.run(Module.java:335)
    at org.jboss.modules.Main.main(Main.java:505)
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
    at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
    ... 9 more
Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
    ... 10 more
Caused by: java.io.IOException: Invalid secret key format
    at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
    at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
    at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
    ... 11 more

An ObjectInputFilter REJECTED error has been thrown when trying to create a Vault:

        WFLYSEC0056: Initializing Vault
        May 01, 2018 11:13:49 AM java.io.ObjectInputStream filterCheck
        INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 1, depth: 1, bytes: 70, ex: n/a
        WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:

EAP 6.2.x (or earlier EAP 6.0.x/6.1.x) gives a NullPointerException with following stacktrace:

Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.NullPointerException
       at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:192)
       at org.jboss.as.security.vault.RuntimeVaultReader.createVault(RuntimeVaultReader.java:82) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
       ... 11 more
 Caused by: java.lang.NullPointerException
       at org.picketbox.plugins.vault.PicketBoxSecurityVault.checkAndConvertKeyStoreToJCEKS(PicketBoxSecurityVault.java:527)
       at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:189)
       ... 12 more

JBoss doesn't start using OpenJDK from zulu because it can't find the vault file. The location of the Vaultfile was not changed.
Getting the following 'Invalid secret key format' error after migrate to EAP 7.2

07:49:04,737 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.credential-store.cred_store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.cred_store: WFLYELY00004: Dienst kann nicht gestartet werden.
        at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:132)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_191-1-redhat]
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:871) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:213) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:123)
        ... 8 more
Caused by: java.io.IOException: Invalid secret key format
        at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
        at java.security.KeyStore.load(KeyStore.java:1445) [rt.jar:1.8.0_191-1-redhat]
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:859) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        ... 11 more

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6
- 7
Red Hat JBoss Data Grid
- 7.1.2
JDK that has included non-public JDK-8189997 including:
- JDK 1.8.0_171+ (OpenJDK or Oracle JDK)
- JDK 1.7.0_181+ (OpenJDK or Oracle JDK)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories