Getting Invalid secret key format when starts up the server or accessing to a vault in JBoss EAP

Solution Verified - Updated -

Issue

  • EAP and vault.sh script throw the following exception:

    java.lang.Exception: WFLYSEC0045: Exception encountered:
        at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:192)
        at org.jboss.as.security.vault.VaultSession.startVaultSession(VaultSession.java:210)
        at org.jboss.as.security.vault.VaultTool.execute(VaultTool.java:193)
        at org.jboss.as.security.vault.VaultTool.main(VaultTool.java:83)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.modules.Module.run(Module.java:335)
        at org.jboss.modules.Main.main(Main.java:505)
    Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:210)
        at org.jboss.as.security.vault.VaultSession.initSecurityVault(VaultSession.java:189)
        ... 9 more
    Caused by: java.lang.RuntimeException: PBOX00140: Unable to get keystore (/path/to/vault/vault.keystore)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:691)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:205)
        ... 10 more
    Caused by: java.io.IOException: Invalid secret key format
        at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:201)
        at org.picketbox.util.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:151)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.getKeyStore(PicketBoxSecurityVault.java:688)
        ... 11 more
    
  • An ObjectInputFilter REJECTED error has been thrown when trying to create a Vault:

        WFLYSEC0056: Initializing Vault
        May 01, 2018 11:13:49 AM java.io.ObjectInputStream filterCheck
        INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 1, depth: 1, bytes: 70, ex: n/a
        WFLYSEC0059: Exception encountered:WFLYSEC0045: Exception encountered:
  • EAP 6.2.x (or earlier EAP 6.0.x/6.1.x) gives a NullPointerException with following stacktrace:

    Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.NullPointerException
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:192)
           at org.jboss.as.security.vault.RuntimeVaultReader.createVault(RuntimeVaultReader.java:82) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]
           ... 11 more
     Caused by: java.lang.NullPointerException
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.checkAndConvertKeyStoreToJCEKS(PicketBoxSecurityVault.java:527)
           at org.picketbox.plugins.vault.PicketBoxSecurityVault.init(PicketBoxSecurityVault.java:189)
           ... 12 more
    
  • JBoss doesn't start using OpenJDK from zulu because it can't find the vault file. The location of the Vaultfile was not changed.

  • Getting the following 'Invalid secret key format' error after migrate to EAP 7.2

07:49:04,737 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.credential-store.cred_store: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.cred_store: WFLYELY00004: Dienst kann nicht gestartet werden.
        at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:132)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558) [jboss-msc-1.4.5.Final-redhat-00001.jar:1.4.5.Final-redhat-00001]
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364) [jboss-threads-2.3.2.Final-redhat-1.jar:2.3.2.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_191-1-redhat]
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:871) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:213) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:123)
        ... 8 more
Caused by: java.io.IOException: Invalid secret key format
        at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:856)
        at java.security.KeyStore.load(KeyStore.java:1445) [rt.jar:1.8.0_191-1-redhat]
        at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:859) [wildfly-elytron-1.6.1.Final-redhat-00001.jar:1.6.1.Final-redhat-00001]
        ... 11 more

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6
    • 7
  • Red Hat JBoss Data Grid
    • 7.1.2
  • JDK that has included non-public JDK-8189997 including:
    • JDK 1.8.0_171+ (OpenJDK or Oracle JDK)
    • JDK 1.7.0_181+ (OpenJDK or Oracle JDK)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In