Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-31533

Fix stream.sh errors when using encrypted Kafka keystore/truststore passwords (LTS 2021)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2021.0
    • Fix Version/s: None
    • Component/s: Streams

      Description

      If kafka.keystore.password and kafka.truststore.password configuration parameters are encrypted in LTS 2021, calls to stream.sh fail with error creating KafkaAdminClient.

      Steps to Reproduce:

      1. Configure Nuxeo LTS 2021 instance with Kafka (tested with 2.13-2.8.0).
      2. Configure Kafka with SSL authentication (create and sign keystore/truststore)
      3. Configure kafka keystore/truststore configuration parameters in nuxeo.conf:
        • kafka.ssl=true
        • kafka.security.protocol=SSL
        • kafka.keystore.path=${PATH-TO-KEYSTORE}
        • kafka.keystore.type=JKS
        • kafka.truststore.path=${PATH-TO-TRUSTSTORE}
        • kafka.truststore.type=JKS
      4. Configure kafka keystore/truststore passwords to be encrypted using following: 
        nuxeoctl config kafka.keystore.password --encrypt --set -q
nuxeoctl config kafka.truststore.password --encrypt --set -q
      1. Start Kafka & Nuxeo; confirm that encrypted values are present in bin/nuxeo.conf and generated file at nxserver/config/kafka-config.xml contains dynamic values for keystore/truststore passwords: 
        <property name="ssl.truststore.password">${kafka.truststore.password}</property>
<property name="ssl.keystore.password">${kafka.keystore.password}</property>
      1. After starting Nuxeo & Kafka instances, test call to bin/stream.sh: 
        ./bin/stream.sh -k lag

      Expected behavior: stream.sh decrypts keystore/truststore passwords to connect to and monitor Kafka server.

      Actual behavior: stream.sh fails to run with following error:

      Exception in thread "main" org.apache.kafka.common.KafkaException: Failed to create new KafkaAdminClient
        at org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:499)
        at org.apache.kafka.clients.admin.Admin.create(Admin.java:63)
        at org.apache.kafka.clients.admin.AdminClient.create(AdminClient.java:39)
        at org.nuxeo.lib.stream.log.kafka.KafkaUtils.<init>(KafkaUtils.java:84)
        at org.nuxeo.lib.stream.log.kafka.KafkaLogManager.lambda$new$0(KafkaLogManager.java:78)
        at java.base/java.util.Collections$SingletonList.forEach(Collections.java:4856)
        at org.nuxeo.lib.stream.log.kafka.KafkaLogManager.<init>(KafkaLogManager.java:78)
        at org.nuxeo.lib.stream.log.kafka.KafkaLogManager.<init>(KafkaLogManager.java:65)
        at org.nuxeo.lib.stream.tools.Main.createKafkaManager(Main.java:116)
        at org.nuxeo.lib.stream.tools.Main.createManager(Main.java:107)
        at org.nuxeo.lib.stream.tools.Main.runWithArgs(Main.java:86)
        at org.nuxeo.lib.stream.tools.Main.run(Main.java:77)
        at org.nuxeo.lib.stream.tools.Main.main(Main.java:64)
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore ${PATH-TO-KEYSTORE} of type JKS
        at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:74)
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
        at org.apache.kafka.common.network.ChannelBuilders.clientChannelBuilder(ChannelBuilders.java:73)
        at org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:105)
        at org.apache.kafka.clients.admin.KafkaAdminClient.createInternal(KafkaAdminClient.java:474)
        ... 12 more
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore ${PATH-TO-KEYSTORE} of type JKS
        at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$SecurityStore.load(DefaultSslEngineFactory.java:306)
        at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$SecurityStore.<init>(DefaultSslEngineFactory.java:285)
        at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.createKeystore(DefaultSslEngineFactory.java:255)
        at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory.configure(DefaultSslEngineFactory.java:139)
        at org.apache.kafka.common.security.ssl.SslFactory.instantiateSslEngineFactory(SslFactory.java:136)
        at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93)
        at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
        ... 16 more
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
        at java.base/java.security.KeyStore.load(KeyStore.java:1479)
        at org.apache.kafka.common.security.ssl.DefaultSslEngineFactory$SecurityStore.load(DefaultSslEngineFactory.java:303)
        ... 22 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 26 more

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: