failing with own keys
648 views
Skip to first unread message
Jonathan Brooks
Mar 23, 2022, 3:58:26 PM3/23/22
to dcm4che
Dear Vrinda, Gunter,
I've been trying to deploy using my own certificate/key pair which may or may not have been generated properly, and I'm getting warnings running in the jboss-cli:
[standalone@localhost:9993 /] deploy /opt/DCM4CHEE/dcm4chee-arc-5.25.2-mysql-secure/deploy/dcm4chee-arc-ear-5.25.2-mysql-secure.ear
Gives lots of red errors: any hints on where I should be focussing my attention would be greatly appreciated.
Thanks in advance,
Jon
19:41:41,206 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 100) MSC000001: Failed to start service jboss.deployment.subunit."dcm4chee-arc-ear-5.25.2-mysql-secure.ear"."dcm4chee-arc-service-5.25.2.jar".component.ArchiveServiceImpl.START: org.jboss.msc.service.StartException in service jboss.deployment.subunit."dcm4chee-arc-ear-5.25.2-mysql-secure.ear"."dcm4chee-arc-service-5.25.2.jar".component.ArchiveServiceImpl.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ComponentStartService$1.run(ComponentStartService.java:57)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jbos...@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:170)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:141)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.createInstance(BasicComponent.java:88)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.SingletonComponent.getComponentInstance(SingletonComponent.java:127)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.SingletonComponent.start(SingletonComponent.java:141)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ComponentStartService$1.run(ComponentStartService.java:54)
... 8 more
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:268)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.requiresNew(CMTTxInterceptor.java:416)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.LifecycleCMTTxInterceptor.processInvocation(LifecycleCMTTxInterceptor.java:68)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInjectionContextInterceptor.processInvocation(WeldInjectionContextInterceptor.java:43)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.StartupCountDownInterceptor.processInvocation(StartupCountDownInterceptor.java:25)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:168)
... 13 more
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.init(ArchiveServiceImpl.java:204)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptor.java:96)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doLifecycleInterception(Jsr299BindingsInterceptor.java:126)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at org.jboss...@3.1.7.SP1//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInjectionInterceptor.processInvocation(WeldInjectionInterceptor.java:53)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptorFactory$ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptorFactory.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptorFactory$ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptorFactory.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.AroundConstructInterceptorFactory$1.processInvocation(AroundConstructInterceptorFactory.java:28)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInterceptorInjectionInterceptor.processInvocation(WeldInterceptorInjectionInterceptor.java:56)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsCreateInterceptor.processInvocation(Jsr299BindingsCreateInterceptor.java:111)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254)
... 28 more
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.<init>(TCPListener.java:77)
at org.dcm...@5.25.2//org.dcm4che3.net.Connection.bind(Connection.java:988)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.bindConnections(Device.java:746)
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.start(ArchiveServiceImpl.java:243)
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.init(ArchiveServiceImpl.java:198)
... 58 more
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.loadKeyStore(SSLManagerFactory.java:92)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.loadKeyStore(SSLManagerFactory.java:83)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.createKeyManager(SSLManagerFactory.java:110)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.km(Device.java:1094)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.keyManagers(Device.java:1200)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.sslContext(Device.java:1194)
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.createTLSServerSocket(TCPListener.java:83)
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.<init>(TCPListener.java:67)
... 62 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 73 more
19:41:41,215 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("deploy") failed - address: ({"deployment" => "dcm4chee-arc-ear-5.25.2-mysql-secure.ear"}) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
19:41:41,216 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("deploy") failed - address: ({"deployment" => "dcm4chee-arc-ear-5.25.2-mysql-secure.ear"}) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
19:41:41,217 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "dcm4chee-arc-ear-5.25.2-mysql-secure.ear" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ComponentStartService$1.run(ComponentStartService.java:57)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jbos...@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:170)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:141)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.createInstance(BasicComponent.java:88)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.SingletonComponent.getComponentInstance(SingletonComponent.java:127)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.SingletonComponent.start(SingletonComponent.java:141)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ComponentStartService$1.run(ComponentStartService.java:54)
... 8 more
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:268)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.requiresNew(CMTTxInterceptor.java:416)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.LifecycleCMTTxInterceptor.processInvocation(LifecycleCMTTxInterceptor.java:68)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInjectionContextInterceptor.processInvocation(WeldInjectionContextInterceptor.java:43)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.component.singleton.StartupCountDownInterceptor.processInvocation(StartupCountDownInterceptor.java:25)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:168)
... 13 more
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.init(ArchiveServiceImpl.java:204)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptor.java:96)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:79)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doLifecycleInterception(Jsr299BindingsInterceptor.java:126)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at org.jboss...@3.1.7.SP1//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
at org.jboss.as...@24.0.1.Final//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInjectionInterceptor.processInvocation(WeldInjectionInterceptor.java:53)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptorFactory$ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptorFactory.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptorFactory$ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptorFactory.java:112)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.AroundConstructInterceptorFactory$1.processInvocation(AroundConstructInterceptorFactory.java:28)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.injection.WeldInterceptorInjectionInterceptor.processInvocation(WeldInterceptorInjectionInterceptor.java:56)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.weld.interceptors.Jsr299BindingsCreateInterceptor.processInvocation(Jsr299BindingsCreateInterceptor.java:111)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbo...@24.0.1.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at org.jboss....@1.6.0.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at org.jbos...@24.0.1.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:254)
... 28 more
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.<init>(TCPListener.java:77)
at org.dcm...@5.25.2//org.dcm4che3.net.Connection.bind(Connection.java:988)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.bindConnections(Device.java:746)
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.start(ArchiveServiceImpl.java:243)
at deployment.dcm4chee-arc-ear-5.25.2-mysql-secure.ear.dcm4chee-arc-service-5.25.2.jar//org.dcm4chee.arc.impl.ArchiveServiceImpl.init(ArchiveServiceImpl.java:198)
... 58 more
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.loadKeyStore(SSLManagerFactory.java:92)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.loadKeyStore(SSLManagerFactory.java:83)
at org.dcm...@5.25.2//org.dcm4che3.net.SSLManagerFactory.createKeyManager(SSLManagerFactory.java:110)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.km(Device.java:1094)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.keyManagers(Device.java:1200)
at org.dcm...@5.25.2//org.dcm4che3.net.Device.sslContext(Device.java:1194)
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.createTLSServerSocket(TCPListener.java:83)
at org.dcm...@5.25.2//org.dcm4che3.net.TCPListener.<init>(TCPListener.java:67)
... 62 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 73 more
19:41:41,215 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("deploy") failed - address: ({"deployment" => "dcm4chee-arc-ear-5.25.2-mysql-secure.ear"}) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
19:41:41,216 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("deploy") failed - address: ({"deployment" => "dcm4chee-arc-ear-5.25.2-mysql-secure.ear"}) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
19:41:41,217 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "dcm4chee-arc-ear-5.25.2-mysql-secure.ear" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-arc-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:12575
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."}}
Jonathan Brooks
Mar 23, 2022, 4:11:17 PM3/23/22
to dcm4che
I suspect the bits where I'm failing are here:
Here I change "secret" to be the password I chose when creating my cacerts.p12 file, which I did as follows:
From the section securing Wildfly:
To enable archive UI login with https as well, configure the following :
[standalone@localhost:9990 /] /subsystem=elytron/key-store=httpsKS:add(credential-reference={clear-text=secret},type=PKCS12,path=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/key.p12)
[standalone@localhost:9990 /] /subsystem=elytron/key-manager=httpsKM:add(algorithm=SunX509,key-store=httpsKS,credential-reference={clear-text=secret})
Here I change "secret" to be the password I chose when creating my cacerts.p12 file, which I did as follows:
sudo openssl pkcs12 -export -out cacerts.p12 -inkey store-key.key -in uwwbic-store.pem -certfile CAcert.cer
Enter pass phrase for store-key.key: <long password I've been given>
Enter Export Password: <I choose this>
This is the same password I use to import the keystore using keytool as directed during the keycloak instructions.
I'm way out of my depth here, so any help would be amazing.
Best wishes,
Jon
Vrinda Nayak
Mar 24, 2022, 6:23:10 AM3/24/22
to dcm4che
My comments inline
[standalone@localhost:9990 /] /subsystem=elytron/key-store=httpsKS:add(credential-reference={clear-text=secret},type=PKCS12,path=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/key.p12) [standalone@localhost:9990 /] /subsystem=elytron/key-manager=httpsKM:add(algorithm=SunX509,key-store=httpsKS,credential-reference={clear-text=secret})
Here I change "secret" to be the password I chose when creating my cacerts.p12 file, which I did as follows:
Password of key.p12 should be used here and not of cacerts.p12
On another note, the page already mentions to replace the paths of keystore / truststore to the paths pointing to your Keycloak / Wildfly locations (wherever applicable). This is implicit enough to indicate that the passwords should also be changed from "secret" to the ones created on creation of respective keystores / truststores. Anyway, to make it explicit, I will add similar notes for passwords as well.
Jonathan Brooks
Mar 24, 2022, 8:31:25 AM3/24/22
to dcm...@googlegroups.com
Hi Vrinda,
Thanks - I did use the keystore password I chose when creating cacerts.p12, but I think I'm using the wrong key. At the moment I just copy cacerts.p12 to key.p12, but clearly this isn't right/working.
Any advice would be much appreciated.
Best wishes,
Jon
--
You received this message because you are subscribed to a topic in the Google Groups "dcm4che" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dcm4che/YU5QlPyuqrs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/ec6c8b37-93dd-4023-9e92-a3f94a56529en%40googlegroups.com.
Vrinda Nayak
Mar 24, 2022, 10:24:01 AM3/24/22
to dcm4che
Generation of
- custom keystore is explained in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Enabling-SSL-HTTPS-for-the-Keycloak-Server
- custom truststore is explained in https://github.com/dcm4che/dcm4chee-arc-light/wiki/Use-Custom-Keystore-with-Archive
The wiki pages need some revamp, and it is on my list.
Jonathan Brooks
Mar 24, 2022, 2:43:37 PM3/24/22
to dcm4che
Hi Vrinda,
Thanks for these pointers - can I check something..? The instructions in those links, are they already incorporated in your page https://github.com/dcm4che/dcm4chee-arc-light/wiki/Secure-Archive-UI-and-RESTful-Services-using-Keycloak? These are the instructions I've been following - and with your self-signed cacerts and key, archive seems to be working fine. It's only when I try to include my own cacerts/key that it all goes wrong.
Follow on question, if I replaced all the instances of "secret" with my new password "moresecret" for my own cacerts.p12 and key.p12 in the commands entered using jboss-cli, would I still need to add additional sections as described in the two links (previous message) you sent, and search and replace "secret"?
Thanks again.
Jon
Vrinda Nayak
Mar 25, 2022, 6:57:55 AM3/25/22
to dcm4che
Follow on question, if I replaced all the instances of "secret" with my new password "moresecret" for my own cacerts.p12 and key.p12 in the commands entered using jboss-cli, would I still need to add additional sections as described in the two links (previous message) you sent, and search and replace "secret"?
No
Jonathan Brooks
Mar 26, 2022, 10:01:29 AM3/26/22
to dcm4che
Hi Vrinda,
StateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct
component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOExc
eption: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start
TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:125
75
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe c
Thanks for confirming that.
I'm following the instructions for deploying the server and still getting errors. From here:
/subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,public-client=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
/subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,bearer-only=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
/subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,bearer-only=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
I replace <keycloak-host> with my server's FQDN
I replace /home/vrinda/work/secure/wildfly-24.0.1.Final with my $WILDFLY_HOME
I replace secret with <my keystore password>
These commands return {"outcome" => "success"}
But the deployment step fails.
[standalone@localhost:9993 /] deploy /opt/DCM4CHEE/dcm4chee-arc-5.25.2-mysql-secure/deploy/dcm4chee-arc-ear-5.25.2-mysql-secure.ear
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps
that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jbo
ss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-ar
c-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.Illegal
that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jbo
ss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-ar
c-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.Illegal
StateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct
component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOExc
eption: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start
TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:125
75
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe c
ontents entry: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption."}}}}
padded. Such issues can arise if a bad key is used during decryption."}}}}
Again this looks like a password problem, but I know for a fact that I entered the keystore password correctly. Are there limits on the length of the password? It doesn't use any special characters.
I'm a bit lost with this...
Hope you can suggest something I can try..
Best wishes,
Jon
zaka
Mar 26, 2022, 11:05:39 AM3/26/22
to dcm4che
Hi! It seems to me your problems are coming from here:
Here I change "secret" to be the password I chose when creating my cacerts.p12 file, which I did as follows:
sudo openssl pkcs12 -export -out cacerts.p12 -inkey store-key.key -in uwwbic-store.pem -certfile CAcert.cer
Enter pass phrase for store-key.key: <long password I've been given>
Enter Export Password: <I choose this>
This is the same password I use to import the keystore using keytool as directed during the keycloak instructions.
What is the relationship between 'store-key.key', 'uwwbic-store.pem' and 'CAcert.cer'? Where did they come from?
Jonathan Brooks
Mar 28, 2022, 6:03:08 PM3/28/22
to dcm4che
HI Zaka,
So on the server we created a certificate signing request (.csr) using:
$ sudo openssl req -newkey rsa:4096 -keyout store-key.key -out uwwbic-store.csr
This prompts for a password to protect the private key (e.g. secret)
The .csr file is sent to signing authority (our local IT team), and they returned the signed certificate: new-cert.cer.
I downloaded their public(?) certificate (CAcert.cer), which was combined with the signed certificate:
$ cat new-cert.cer CAcert.cer > uwwbic.store.pem
which is converted to .p12 format with the command you listed above.
The exported pkcs12 format cacerts.p12 file prompts for an export password, and I chose this to be the *same* as the private key (e.g. secret).
I tried creating a key.p12 file using the store-key.key and the following command:
$ sudo openssl pkcs12 -export -nocerts -inkey store-key.key -out store-key.p12
However, this failed to work during keycloak install i.e. after instructions say to use keytool to import the new certificate (cacerts.p12) into the JAVA keystore. At this point it should have been possible to make a secure connection via jboss-cli to the keycloak server, but I was warned that the key wasn't valid (or something like that), so reverted to copying cacerts.p12 to key.p12 - which seems a little wrong(?) and used that as the key - which allowed jboss-cli to connect as expected.
Bit lost here - any help much appreciated.
Cheers, Jon
zaka
Mar 29, 2022, 1:05:19 PM3/29/22
to dcm4che
Hi Jon!
First of all check your CA root certificate:
$ openssl x509 -text -noout -inform der -in <path-to>/CAcert.cer (DER format)
or
$ openssl x509 -text -noout -in <path-to>/CAcert.cer (PEM format)
Pay attention to X509v3 Basic Constraints, there must be 'CA:TRUE'.
When creating CSR, subject parameters C, ST,L,O,OU should be the same as in root certificate, CN may be an alias of your certificate or FQDN of your server.
Then it would be good to check 'new-cert.cer' from signing authority:
$ openssl x509 -text -noout -in <path-to>/new-cert.cer (PEM format)
Verify subject parameters C, ST,L,O,OU and CN.
Verify X509v3 extensions, there must be at least:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<your FQDN>, IP Address:<your IP>
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<your FQDN>, IP Address:<your IP>
It is very important that X509v3 Subject Alternative Name or CN must contain your FQDN or/and IP!
And it would be good to verify the 'chain of trust' with:
$ openssl verify -CAfile <path-to>/CAcert.cer <path-to>/new-cert.cer
And for the last, the right OPENSSL command to convert key/certificate to PKCS12 format for JAVA must have options -noiter -nomaciter! And there is no need to combine 'new-cert.cer' and 'CAcert.cer' into 'uwwbic.store.pem', openssl can do it for you while converting to PKCS12.
Jonathan Brooks
Mar 29, 2022, 2:00:04 PM3/29/22
to dcm...@googlegroups.com
HI Zaka,
Thanks - this is super helpful!
One thing I should have mentioned was that our signing authority is not a "recognised" one, it is the University and used internally to validate the identity of our servers. We won't have external users from the internet, so a recognised signing authority should not be needed....
I've redacted quite a bit to (hopefully) avoid giving away the crown jewels!
Here is the output from: $ sudo openssl x509 -text -nout -in CAcert.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1a:1e:d0:15:98:7e:4f:b0:45:80:f1:4f:dc:77:30:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = UK, DC = AC, DC = BLAH, CN = University of Somewhere RootCA
Validity
Not Before: Mar 1 15:27:10 2007 GMT
Not After : Jan 26 11:46:53 2026 GMT
Subject: DC = UK, DC = AC, DC = BLAH, CN = University of Somewhere RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
BLAH BLAH
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
34:7A:7A:47:7A:69:AF:CE:4B:5E:92:FE:E0:7F:4E:09:A7:02:0E:D9
1.3.6.1.4.1.311.21.1:
...
1.3.6.1.4.1.311.21.2:
...#..\...v aJ#....I..
Signature Algorithm: sha256WithRSAEncryption
Which has the specified CA: True. So far, so good?BLAH BLAH
Looking at the signed certificate that was returned to me with the command you suggested: $ sudo openssl x509 -text -noout -in certnew.cer, gives:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5d:00:00:a7:02:13:eb:ea:23:07:18:34:5a:00:03:00:00:a7:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = UK, DC = AC, DC = BLAH, CN = University of Somewhere Sub2CA
Validity
Not Before: Mar 3 16:31:13 2022 GMT
Not After : Mar 2 16:31:13 2024 GMT
Subject: C = UK, ST = COUNTY, L = CITY, O = University of Somewhere, OU = School of Something, CN = theserver.somewhere.com, emailAddress = som...@somewhere.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
BLAH BLAH
4e:d8:aa:df:15:5a:a0:a1:45:b9:09:d0:b5:af:a0:
f0:e2:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D1:7C:E3:03:E9:72:F3:AA:4A:47:DF:E4:3E:C8:0F:AF:D2:EC:5E:4F
X509v3 Authority Key Identifier:
keyid:33:9C:93:20:BA:98:C1:65:E7:14:CF:8C:EA:92:EB:F4:1C:B3:B3:FB
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=redacted
Authority Information Access:
CA Issuers - URI:ldap:///CN=redacted
CA Issuers - URI:http://redacted.crt
X509v3 Key Usage:
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
00.(+.....7.....k...^.......u....J....U....4..d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
1.3.6.1.4.1.311.21.10:
0.0
..+.......
Signature Algorithm: sha256WithRSAEncryption
BLAH BLAH
So there is no X509v3 Subject Alternative Name, but the CN does contain the FQDN as registered with our DNS. I've changed it here to theserver.somewhere.com
Verifying the chain of trust fails(?):
$ sudo openssl verify -CAfile /opt/DCM4CHEE/Certificate/CAcert.cer /opt/DCM4CHEE/Certificate/certnew.cer
C = UK, ST = COUNTY, L = CITY, O = University of Somewhere, OU = School of Something, CN = theserver.somewhere.com, emailAddress = som...@somewhere.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error /opt/DCM4CHEE/Certificate/certnew.cer: verification failed
I guess this is because our signing authority is not a trusted authority?
Not sure if this output is as expected?
Thanks for all your help with this....
Best wishes,
Jon
--
You received this message because you are subscribed to a topic in the Google Groups "dcm4che" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dcm4che/YU5QlPyuqrs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dcm4che+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dcm4che/a0b2bffe-7bc7-4d3d-9c22-ac15aec90426n%40googlegroups.com.
Jonathan Brooks
Mar 29, 2022, 2:07:49 PM3/29/22
to dcm...@googlegroups.com
Dear Zaka,
Just to say that there don't appear to be entries for C, ST,L,O,OU in our root certificate (CAcert.cer)
Best,
Jon
Jonathan Brooks
Mar 29, 2022, 2:18:29 PM3/29/22
to dcm...@googlegroups.com
Similarly the returned signed certificate seems to be missing most of the essential parts you mentioned:
MOST of the following not present when using the command: $ openssl x509 -text -noout -in <path-to>/new-cert.cer (PEM format)
In BOLD is the one bit that is present:
Verify X509v3 extensions, there must be at least:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<your FQDN>, IP Address:<your IP>
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<your FQDN>, IP Address:<your IP>
Any thoughts?
Best wishes,
Jon
zaka
Mar 29, 2022, 2:31:56 PM3/29/22
to dcm4che
Hi Jon!
Yes, verifying the chain of trust fails. It should response with 'OK'. And I think the fact your signing authority is not a trusted authority is not the reason. Maybe your signing authority have intermediate certificate?
Best, Alexander.Jonathan Brooks
Mar 30, 2022, 12:55:53 PM3/30/22
to dcm4che
HI Zaka,
Thanks so much for your suggestion.
$ sudo openssl verify -verbose -CAfile ./CAcert.cer -untrusted ./SUB2cert.cer ./certnew.cer
Now gives:
./certnew.cer: OK
I'll try to create a PKCS12 version and see if that works. Please can you elaborate on the options you mentioned when creating this?
Best wishes,
Jon
Jonathan Brooks
Mar 30, 2022, 1:21:44 PM3/30/22
to dcm4che
Hi Zaka,
Specifically you wrote:
the right OPENSSL command to convert key/certificate to PKCS12 format for JAVA must have options -noiter -nomaciter!
As far as I can see these aren't options to openssl? Am I missing something?
One last thing - assuming that I can create a cacerts.p12 file for use with our install, I still need to create a key.p12 file.
I've seen various approaches used to generate this
(1) the simple:
- $ sudo cp cacerts.p12 key.p12
(2) the more complex:
- $ sudo openssl pkcs12 -export -nocerts -inkey store-key.key -out store-key.p12
I don't know if you have a preference?
Best wishes,
Jon
Jonathan Brooks
Mar 30, 2022, 2:13:23 PM3/30/22
to dcm4che
To update the thread:
Here's what I used: (source: https://www.ibm.com/docs/en/api-connect/5.0.x?topic=profiles-generating-pkcs12-file-tls-profile)
$ sudo cat SUB2cert.cer CAcert.cer > certs.pem
$ sudo openssl pkcs12 -export -out cacerts.p12 -inkey store-key.key -in certnew.cer -name server.somewhere.com -chain -CAfile certs.pem
where certnew.cer was the certificate that was returned to me from our signing authority, along with their intermediate certificate (SUB2cert.cer), and Root certificate (CAcert.cer)
I still have absolutely NO IDEA how to create key.p12. <- I assume this is not the private key?
Cheers, Jon
zaka
Mar 30, 2022, 3:44:07 PM3/30/22
to dcm4che
Hi Jon!
My setup has no intermediate certificate, so i am using this command:
$ openssl pkcs12 -export -in <path_to>/<my_server's_signed_cert>.pem -inkey <path_to>/<my_server's_secret_key>.pem -certfile <path_to>/<my_CA_root_cert>.pem -out <path_to>/<my_server's_keystore>.p12 -passin pass:'<my_server's_secret_key_password>' -passout pass:'<my_server's_secret_key_password>' -name <my_server's_signed_cert_alias> -noiter -nomaciter
So secret key and PKCS12 keystore have the same password.
Look here for -noiter -nomaciter.
Jonathan Brooks
Mar 31, 2022, 7:24:32 AM3/31/22
to dcm4che
Hi Zaka,
Thanks again! I have been using secret key and keystore password as the same (I'd read that this was a requirement).
So assuming that I'm able to create a cacerts.p12 (my server's keystore), and import into JAVA's keystore (cacerts) using keytool, how should I go about creating a key.p12 for keycloak/wildfly to use?
Thus far:
using a key.p12 that is a copy of cacerts.p12 allows keycloak to start jboss-cli over secure connection (port 9983), but ultimately didn't allow me to deploy (I need to confirm this is still the case after recent developments!)
creating a key.p12 from scratch with:
$ sudo openssl pkcs12 -export -nocerts -inkey store-key.key -out key.p12
NOTE: "store-key.key" is the PEM format private key created during the generation of the server's certificate signing request.
did NOT allow keycloak to start jboss-cli over secure connection (port 9983).
Any ideas/suggestions?
Best,
Jon
zaka
Mar 31, 2022, 12:57:18 PM3/31/22
to dcm4che
Hi Jon!
It seems to me it would be good to give some clarifications about Wildfly/Keycloak/dcm4chee-arc and SSL/TLS authentications.
1. First of all it is good practice to give self-meaning names to certs and keystores. So 'cacerts.p12' is not good name for server's keystore because 'cacerts' are the CA root/intermediate certificates! Let it be for example 'archive.p12' and 'archive-key.pem' and 'archive-cert.pem' respectively.
2. All described above manipulations with openssl are needed to obtain server's keystore 'archive.p12' which contains secret key 'archive-key.pem' with signed by CA certificate 'archive-cert.pem'. This keystore and only together with CA's root/intermediate certs are needed to perform one-way SSL/TLS authentification!
3. There are three subsystems in Wildfly/Keycloak/dcm4chee-arc which needs SSL/TLS authentification to be configured:
- Wildfly's built-in 'Undertow' web server for browser HTTPS communications,
- Keycloak's 'SPI' interface for internal non-browser HTTPS communications,
- dcm4chee-arc itself for dicom-tls communications.
In fact both undertow and dcm4chee-arc are on the top of the Wildfly's 'elytron' security subsystem, so two subsystems have to be configured.
You have to configure elytron's 'server-ssl-context' to use your 'archive.p12' for one-way SSL/TLS authentications and configure undertow and management-interface to use it as described in wiki.
For browser communications you have to import your CA's certificates into browser's trusted CA certificates store. For non-browser (SPI) communications you have to configure its own truststore. Wiki suggests to import your CA's certificates into JAVA's trusted cacerts store and configure SPI interface to use it. I use my own truststore for this purpose.
P.S. As regards your initial problem, did you issue this commands before trying to deploy dcm4chee-arc-ear-5.25.2-mysql-secure.ear?
/subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,public-client=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
/subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,bearer-only=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
/subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.x.x-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,auth-server-url=https://<keycloak-host>:8843/auth,ssl-required=external,bearer-only=true,truststore=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/cacerts.p12,truststore-password=secret,allow-any-hostname=true)
Sorry in advance for my English,
Alexander.
Jonathan Brooks
Mar 31, 2022, 3:09:12 PM3/31/22
to dcm4che
Hi Alexander,
Thanks for taking the time to explain this to me, plus your English is just fine!!!
I have confirmed that the certnew.cer we received (associated with our server's private key = store-key.key) is correct/working (?) - see above.
I created a PKCS12 format keystore with the additional flags you mentioned:
$ sudo openssl pkcs12 -export -out archive.p12 -inkey store-key.key -in certnew.cer -name server.somewhere.com -chain -CAfile certs.pem -noiter -nomaciter
Enter pass phrase for store-key.key: (1)
Enter Export Password: (2)
Verifying - Enter Export Password: (3)
At (1) I enter the PASS PHRASE that was provided to me by our local IT person (chosen by them when creating the original certificate signing request). I use the exact same password at (2) and (3).
There are no special characters in it, and it is <30 characters long.
Once I had created archive.p12, I want to create a key.p12 as this is referred to in the wiki. I'm still not 100% sure how to create this key.p12.
key.p12 is to be used via the jboss-cli to secure connection e.g. in the Keycloak section of the instructions, and in wildfly's undertow/elytron as you mention:
E.g. from the wiki:
[standalone@localhost:9990 /] /subsystem=elytron/key-store=httpsKS:add(credential-reference={clear-text=secret},type=PKCS12,path=/home/vrinda/work/secure/wildfly-24.0.1.Final/standalone/configuration/keystores/key.p12)
[standalone@localhost:9990 /] /subsystem=elytron/key-manager=httpsKM:add(algorithm=SunX509,key-store=httpsKS,credential-reference={clear-text=secret})
[standalone@localhost:9990 /] /subsystem=elytron/key-manager=httpsKM:add(algorithm=SunX509,key-store=httpsKS,credential-reference={clear-text=secret})
[standalone@localhost:9990 /] /subsystem=elytron/server-ssl-context=httpsSSC:add(protocols=[TLSv1.2],key-manager=httpsKM)
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,value=httpsSSC)
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https)
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:remove()
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https,ssl-context=httpsSSC,enable-http2=true)
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context,value=httpsSSC)
[standalone@localhost:9990 /] /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding,value=management-https)
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:remove()
[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https,ssl-context=httpsSSC,enable-http2=true)
I'm assuming that wherever I see the word "secret" I replace it with PASS PHRASE (1)
Currently I copy archive.p12 to key.p12 (based on this suggestion) - and this works for securing jboss-cli communication to keycloak server via port 9983, which in the wiki instructions occurs after importing archive.p12 into the JAVA keystore using keytool:
$ sudo -i
# keytool -importkeystore -srckeystore /opt/DCM4CHEE/keycloak-15.0.2/standalone/configuration/keystores/archive.p12 -srcstorepass PASS PHRASE (1) -destkeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -deststorepass changeit
GIVES:
Importing keystore /opt/DCM4CHEE/keycloak-15.0.2/standalone/configuration/keystores/cacerts.p12 to /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts...
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -destkeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -deststoretype pkcs12"
# keytool -importkeystore -srckeystore /opt/DCM4CHEE/keycloak-15.0.2/standalone/configuration/keystores/archive.p12 -srcstorepass PASS PHRASE (1) -destkeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -deststorepass changeit
GIVES:
Importing keystore /opt/DCM4CHEE/keycloak-15.0.2/standalone/configuration/keystores/cacerts.p12 to /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts...
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -destkeystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -deststoretype pkcs12"
Similarly, I am able to "talk" using jboss-cli to the wildfly server via port 9993.
Regarding your last comment I do issue those commands:
[standalone@localhost:9993 /] /subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.25.2-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=https://server.somewhere.com:8843/auth,ssl-required=external,public-client=true,truststore=/opt/DCM4CHEE/wildfly-24.0.1.Final/standalone/configuration/keystores/archive.p12,truststore-password=PASS PHRASE (1),allow-any-hostname=true)
{"outcome" => "success"}
{"outcome" => "success"}
AND
[standalone@localhost:9993 /] /subsystem=keycloak/secure-deployment=dcm4chee-arc-war-5.25.2-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-rs,auth-server-url=https://server.somewhere.com:8843/auth,ssl-required=external,bearer-only=true,truststore=/opt/DCM4CHEE/wildfly-24.0.1.Final/standalone/configuration/keystores/archive.p12,truststore-password=PASS PHRASE (1),allow-any-hostname=true)
{"outcome" => "success"}
{"outcome" => "success"}
As suggested in the wiki, I then quit the wildfly server and restart, BUT deployment gives:
[standalone@localhost:9993 /] deploy /opt/DCM4CHEE/dcm4chee-arc-5.25.2-mysql-secure/deploy/dcm4chee-arc-ear-5.25.2-mysql-secure.ear
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps
that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jbo
ss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-ar
c-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.Illegal
StateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct
component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOExc
eption: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start
TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:125
75
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe c
ontents entry: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption."}}}}
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps
that failed:" => {"Operation step-2" => {"WFLYCTL0080: Failed services" => {"jbo
ss.deployment.subunit.\"dcm4chee-arc-ear-5.25.2-mysql-secure.ear\".\"dcm4chee-ar
c-service-5.25.2.jar\".component.ArchiveServiceImpl.START" => "java.lang.Illegal
StateException: WFLYEE0042: Failed to construct component instance
Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct
component instance
Caused by: javax.ejb.EJBException: java.lang.RuntimeException: java.io.IOExc
eption: Unable to start TCPListener on localhost:12575
Caused by: java.lang.RuntimeException: java.io.IOException: Unable to start
TCPListener on localhost:12575
Caused by: java.io.IOException: Unable to start TCPListener on localhost:125
75
Caused by: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe c
ontents entry: javax.crypto.BadPaddingException: Given final block not properly
padded. Such issues can arise if a bad key is used during decryption."}}}}
It seems obvious where the problem lies, but I'll be damned if I can find out where I'm doing it wrong.
FYI using the self-signed cacerts.p12 and key.p12 supplied with the archive by the DCM4CHEE developers, I can install, configure and deploy just fine.
As always any help/suggestions on where I'm going wrong would be super helpful.
Best wishes,
Jon
Jonathan Brooks
Apr 1, 2022, 9:09:04 AM4/1/22
to dcm4che
Just to add - does it matter that the cacerts.p12 contains a private key that is protected by the same password as for the trust-store?
Do the commands used to input the truststore need to be modified to reflect that?
E.g.
[standalone@localhost:9993 /] /subsystem=keycloak/secure-deployment=dcm4chee-arc-ui2-5.25.2-secure.war/:add(realm=dcm4che,resource=dcm4chee-arc-ui,auth-server-url=https://server.somewhere.com:8843/auth,ssl-required=external,public-client=true,truststore=/opt/DCM4CHEE/wildfly-24.0.1.Final/standalone/configuration/keystores/archive.p12,truststore-password=PASS PHRASE (1),allow-any-hostname=true)
{"outcome" => "success"}
{"outcome" => "success"}
What I find a little confusing is that I can make the secure connection to keycloak/wildfly via jboss-cli that appears to use the certificate just fine, but when coming to the deployment the secure communication fails to open the keystore.
Best wishes,
Jon
Reply all
Reply to author
Forward
0 new messages