keywhiz.cli login

271 views
Skip to first unread message

Justin Smith

unread,
Apr 28, 2015, 3:42:25 PM4/28/15
to keywhi...@googlegroups.com
Is there anyway to specify the user to login as?

I was expecting something like 'keywhiz.cli login -u keywhizAdmin -p adminPass'

How does one create new user accounts to login? Are those called "clients"?

Justin Smith

unread,
Apr 29, 2015, 3:03:50 PM4/29/15
to keywhi...@googlegroups.com
I manually added a user to the users table, keeping the 'adminPass' credentials.

I can login as that user to the web ui, but I get this error when logging in from the console:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 22 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 28 more

Carol Bloch

unread,
May 20, 2015, 3:48:04 PM5/20/15
to keywhi...@googlegroups.com
I'm running into the same problem.  Did you ever resolve this?  I get the ValidatorException, when I try to login with the cli.

Justin Cummins

unread,
May 20, 2015, 7:42:10 PM5/20/15
to Carol Bloch, keywhi...@googlegroups.com

Hi Carol,

What hostname are you using to connect to? The development certificate in the repository is valid for ‘localhost’ or ‘127.0.0.1’ though the former is preferred.

You’ll also have to instruct java to trust the certificate authority that signed that certificate. There’s an open issue to make a command-line argument for this, but adding the java flags -Djavax.net.ssl.trustStore=path/to/keywhiz/repository/server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponieswork in the meantime. Normally, these flags aren’t needed outside of development, because the certificate authority would be put in the default JRE truststore.


--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a8bb34a2-a18a-4c17-affa-7e41af0d7c14%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Carol Bloch

unread,
May 21, 2015, 10:12:09 AM5/21/15
to keywhi...@googlegroups.com, csb...@comcast.net
Hi Justin,

Thanks for your response.
I'm using localhost to get to the admin console with no issue.  I can even login with my new user on the admin console.  

I added the java flags to the command to start the KeyWhiz server, but when I try to login using cli, I still get the validatorException: 

unable to find valid certification path to requested target.  

Carol

Carol Bloch

unread,
May 21, 2015, 11:14:16 AM5/21/15
to keywhi...@googlegroups.com
I also tried putting the -Djavax options on the cli command.  What I now get is a bad padding exception:

Exception in thread "main" java.lang.RuntimeException: java.security.KeyStoreException: problem accessing trust storejava.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded

google says this is likely an issue with the keystore password.  I can't look at that trustore using keytool and that password.  Is it possible the password ponieswork is not correct?


Carol


Justin Cummins

unread,
May 21, 2015, 2:49:40 PM5/21/15
to Carol Bloch, keywhi...@googlegroups.com

Yes, that’s the correct password for the dev_and_test_truststore.p12 file checked into the keywhiz repository. If you have created your own keystore file, it could definitely be different. Here’s how I invoke keytool to list the contents:

~/Development/keywhiz master keytool -list -keystore server/src/main/resources/dev_and_test_truststore.p12 -storetype PKCS12 -storepass ponies

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

ca, May 21, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 4B:FE:F0:C8:E2:7B:05:C7:EC:00:9E:B0:4B:CD:07:5F:06:7E:B3:15

Does invoking keytool that way work for you?

Also note java 8 (or newer) is required for Keywhiz. We’re using PKCS12 format keystore files, which are only supported as truststores in java 8 and will become the default in java 9. If your keytool is packaged with JDK 7 or earlier, it may not work as expected. Unfortunately, I don’t think keytool has an option to spit out its version.


--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/ce7e2fa2-68e2-40dd-a3ab-42d871cd13c1%40googlegroups.com.

Carol Bloch

unread,
May 21, 2015, 4:40:28 PM5/21/15
to keywhi...@googlegroups.com, csb...@comcast.net
Thanks again for the reply.  When I cut and pasted from the original post, I got an additional word that was appended to my password, making it ponieswork. :(  
So, I retried with the correct password and now I get this error:  

Exception in thread "main" java.io.IOException: Hostname Carols-MacBook-Pro.local not verified:

    certificate: sha1/5mFHv+tKWhzfTWCX4GUQDrbJIxE=

    DN: CN=localhost, OU=server

    subjectAltNames: [127.0.0.1, localhost]

at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:260)

You asked in an earlier post about hostname.  Looks like my hostname is set to  Hostname Carols-MacBook-Pro.local.  Do you need to change the hostname or do you know if there is a way to override it?  This is the command I'm using:

java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar login


---------------------------------------------------------------------------------------------------------------------------------------------------------------

On Thursday, May 21, 2015 at 12:49:40 PM UTC-6, Justin Cummins wrote:Alr

Justin Cummins

unread,
May 21, 2015, 8:51:45 PM5/21/15
to Carol Bloch, keywhi...@googlegroups.com

Aha, I see what’s wrong. Try:

java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444 login

That’s the same command you had, but with --url https://localhost:4444 added. The CLI tries to figure out the server URL if it is not specified. I plan to change the default to be this value. Also, I will have it display the assumed URL.


To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/681ad464-ee12-418b-b55a-21967789ce76%40googlegroups.com.

Carol Bloch

unread,
May 22, 2015, 11:17:58 AM5/22/15
to keywhi...@googlegroups.com, csb...@comcast.net
Thanks again for all the help.  You have moved me a little bit forward.  I can now login and I can do the list command, but if I try the add secrets from the cli, it gives me an error indicating it's not logged in:

java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444 add secrets --name edgesecret < request.json 

Exception in thread "main" java.lang.RuntimeException: Please login by running a command without piping.

For example: keywhiz.cli login

at keywhiz.cli.ClientUtils.readPassword(ClientUtils.java:191)

at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:119)

at keywhiz.cli.CliMain.main(CliMain.java:68)


I can follow that command with the list command and it still works.  Is my format for the add secrets correct?  request.json is a json file based on the example in the doc.  In the keywhiz log file, I see a missing session cookie message, but nothing else.

So two questions, Is the secrets file used in the cli a json file and two, is there something more that needs to get passed on an add secret command?

Carol Bloch

unread,
May 22, 2015, 3:43:38 PM5/22/15
to keywhi...@googlegroups.com
Got past this problem too, but changing the < json.request to --json '{"metadata":{"owner":"root","group":"root","mode":"0400"}, "name":"edgesecret",  "description":"example uaa edge secret", "withVersion":false, "content":"a2V5dGFiIGNvbnRlbnQ="}'

Now the command line stops in the same place but if I do a cmd d on the command line, it sends a file end and the error: 

Exception in thread "main" java.lang.RuntimeException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.lang.String out of START_OBJECT token

 at [Source: {"metadata":{"owner":"root","group":"root","mode":"0400"}, "name":"edgesecret",  "description":"example uaa edge secret", "withVersion":false, "content":"a2V5dGFiIGNvbnRlbnQ="}; line: 1, column: 2]

at com.google.common.base.Throwables.propagate(Throwables.java:160)

at keywhiz.cli.commands.AddAction.getMetadata(AddAction.java:178)

at keywhiz.cli.commands.AddAction.run(AddAction.java:118)

at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:140)

at keywhiz.cli.CliMain.main(CliMain.java:68)

Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.lang.String out of START_OBJECT token

 at [Source: {"metadata":{"owner":"root","group":"root","mode":"0400"}, "name":"edgesecret",  "description":"example uaa edge secret", "withVersion":false, "content":"a2V5dGFiIGNvbnRlbnQ="}; line: 1, column: 2]

at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)


The json for metadata looks good to me, so not sure why it can't deserialize.  Has anyone been able to add a secret from the cli and if so, can you provide the format used?

Justin Cummins

unread,
May 26, 2015, 4:06:56 PM5/26/15
to Carol Bloch, keywhi...@googlegroups.com

How about this?

> alias keywhiz.cli='java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444'
> keywhiz.cli login
> keywhiz.cli add secrets --name edgesecret --json '{"owner":"root","group":"root","mode":"0400"}' < edgesecret.txt

The --json argument is just for metadata (and perhaps should be named that), not a request object serialized to JSON. Generally, it’s not needed because the defaults from the mountpoint will be fine. However, I put an example above that should work.

For this example the bytes in edgesecret.txt will be exactly what is served as the secret edgesecret.


--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a00f0b80-23c3-4569-941e-fcd0a927b516%40googlegroups.com.

Carol Bloch

unread,
May 26, 2015, 6:21:27 PM5/26/15
to keywhi...@googlegroups.com, csb...@comcast.net
No luck.  

alias cli='java -Djavax.net.ssl.trustStore=./server/src/main/resources/dev_and_test_truststore.p12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStorePassword=ponies -jar -Duser.name=keywhizAdmin ./cli/target/keywhiz-cli-0.7.4-SNAPSHOT-shaded.jar --url https://localhost:4444'

Carols-MacBook-Pro:keywhiz carolbloch$ cli login

password for 'keywhizAdmin': 

Carols-MacBook-Pro:keywhiz carolbloch$ cli add secrets --name edgesecret --json '{"owner":"root","group":"root","mode":"0400"}' < edgesecret.txt

Exception in thread "main" java.lang.RuntimeException: Please login by running a command without piping.

For example: keywhiz.cli login

at keywhiz.cli.ClientUtils.readPassword(ClientUtils.java:191)

at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:119)

at keywhiz.cli.CliMain.main(CliMain.java:68)


I'm providing the same password that works on the admin web page: adminPass.


Carol

Justin Cummins

unread,
May 28, 2015, 6:12:50 PM5/28/15
to Carol Bloch, keywhi...@googlegroups.com
I found a problem with HttpCookie and it's use in the CLI. The class tries to determine what style a cookie is and serializes it differently based on that. The consequence is that sometimes the proper session cookie isn't being sent in development. There's a PR to fix it just waiting for review.

To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/a07b8412-5740-4ea4-984e-29f948366eff%40googlegroups.com.

Justin Cummins

unread,
Jun 1, 2015, 2:42:55 PM6/1/15
to Carol Bloch, keywhi...@googlegroups.com
The PR I mentioned was merged to master on Friday.
Reply all
Reply to author
Forward
0 new messages