I am not 100% certain but I believe the sun.security.pkcs12.PKCS12KeyStore.engineLoad &/or java.security.KeyStore.load modules within confluence are not accounting for or stripping whitespace from the password specified for loading pkcs12 certificate chains.
I can verify the pkcs12 using both openssl & the bundled keytool without error. Steps taken below follow:
Using keytool:
%> jre/bin/keytool -list -keystore certificate.pkcs12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry 1, Oct 8, 2014, PrivateKeyEntry, Certificate fingerprint (SHA1): 5A:8A:B0:26:E1:39:C1:0E:52:F5:0C:E3:8E:31:74:24:9D:9D:AE:F9
Using OpenSSL:
%> openssl pkcs12 -noout -in certificate.pkcs12 Enter Import Password: MAC verified OK
Here is the server.xml file (relevant to use of a pkcs12 for ssl access)
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" keystoreFile="/full/path/to/certificate.pkcs12" keystorePass="password with spaces" keystoreType="PKCS12" keyAlias="1" />
Hi Jason, that's interesting, I've just created a new certificate and exported it to pkcs12 format with the following commands:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt openssl pkcs12 -export -in cert.crt -inkey cert.key -out certificate.pkcs12
And defined the password to 123 456 (with space).
The connector looks like this:
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" keystoreFile="/full/path/to/certificate.pkcs12" keystorePass="123 456" keystoreType="PKCS12" keyAlias="1" />
I've restarted Confluence and I had not problem to access the dashboard via https, maybe the problem is not the password itself. What's the error you're seeing?
Cheers
That looks like a self signed certificate. I wonder if it is the cert chain then. Here is the error which according to evevery thing I have looked up refers to a bad password which doesn't make sense when two different tools can vbe used to verify it.
INFO: Initializing ProtocolHandler ["http-bio-8443"] Oct 08, 2014 7:24:40 AM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"] java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:291) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:549) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:489) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:434) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:397) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676) at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:355) at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40.engineDoFinal(PKCS12PBECipherCore.java:462) at javax.crypto.Cipher.doFinal(Cipher.java:2087) ... 26 more Oct 08, 2014 7:24:40 AM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:291) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:549) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:489) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:434) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:181) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:397) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:978) ... 13 more Caused by: javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676) at com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:355) at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40.engineDoFinal(PKCS12PBECipherCore.java:462) at javax.crypto.Cipher.doFinal(Cipher.java:2087) ... 26 more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I can't say for sure, but it could be some problem with the encryption algorithm. You could try to convert it to JKS format as described here.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well that failed as well.
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"] java.io.IOException: Keystore was tampered with, or password was incorrect
I converted the pkcs12 to a jks format like so:
%> keytool -importkeystore -srckeystore wiki.tools.lib.utah.edu.keystore.pkcs12 -srcstoretype pkcs12 -destkeystore wiki.tools.lib.utah.edu.keystore.jks -deststoretype JKS
Very strange as both keytool and openssl verify the pkcs12 and jks formats (including passphrase provided) without problem.
I am going to go ahead and regenerate from scratch to try and alleviate the problems. Will also post the complete steps if it works. If not I will file a bug report.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.