[
https://issues.apache.org/jira/browse/NIFI-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann resolved NIFI-3062.
------------------------------------
Resolution: Information Provided
As of Java 8 Update 161, the Unlimited Strength Cryptographic policy is enabled
by default, so this should no longer be a problem.
See [https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157] for more
details.
> Provide better error message on startup if invalid length keystore password
> used in conjunction with PKCS12 keystore
> --------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-3062
> URL: https://issues.apache.org/jira/browse/NIFI-3062
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Tools and Build
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Priority: Major
> Labels: keystore, pkcs12, security, tls
>
> [~scottyaslan] discovered an edge case introduced in [NIFI-2943] -- on a
> system without the JCE unlimited strength cryptographic jurisdiction policies
> installed, a PKCS12 keystore with a password longer than 7 characters will
> fail at start-up. Though this issue is captured when using the TLS Toolkit to
> generate a keystore (or a client certificate, which is stored in a PKCS12
> keystore in order to include the private key), a user could have manually
> generated a PKCS12 keystore with a password longer than 7 characters using
> {{openssl}} but will not be able to use it in NiFi without installing the JCE
> USC policies.
> Example output from TLS toolkit in 128-bit mode:
> {code}
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
> (master) alopresto
> 🔒 76s @ 19:48:16 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
> 2016/11/17 19:48:43 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
> nifiPropertiesFile specified, using embedded one.
> 2016/11/17 19:48:43 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running
> standalone certificate generation with output directory
> ../nifi-toolkit-1.1.0-SNAPSHOT
> 2016/11/17 19:48:44 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing
> CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key
> ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
> 2016/11/17 19:48:44 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames
> specified, not generating any host certificates or configuration.
> 2016/11/17 19:48:44 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
> client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> WARNING!!!!
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Unlimited JCE Policy is not installed which means we cannot utilize a
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> PKCS12 password longer than 7 characters.
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Autogenerated password has been reduced to 7 characters.
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Please strongly consider installing Unlimited JCE Policy at
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> Another alternative is to add a stronger password with the openssl tool to the
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out
> '/tmp/CN=test.p12'
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> openssl pkcs12 -export -in '/tmp/CN=test.p12' -out
> '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12'
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> rm -f '/tmp/CN=test.p12'
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper:
> **********************************************************************************
> 2016/11/17 19:48:44 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
> generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 19:48:44 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
> standalone completed successfully
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
> (master) alopresto
> 🔒 28s @ 19:48:45 $
> {code}
> Example output from TLS toolkit in 256-bit mode:
> {code}
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
> (master) alopresto
> 🔒 320s @ 19:55:16 $ jce_unlimited
> Enabling JCE unlimited strength crypto policy
> /Users/alopresto/Desktop/security/unlimited/US_export_policy.jar ->
> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./US_export_policy.jar
> /Users/alopresto/Desktop/security/unlimited/local_policy.jar ->
> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./local_policy.jar
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
> (master) alopresto
> 🔓 235s @ 19:59:12 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password
> 2016/11/17 19:59:38 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No
> nifiPropertiesFile specified, using embedded one.
> 2016/11/17 19:59:38 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running
> standalone certificate generation with output directory
> ../nifi-toolkit-1.1.0-SNAPSHOT
> 2016/11/17 19:59:38 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing
> CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key
> ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key
> 2016/11/17 19:59:38 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames
> specified, not generating any host certificates or configuration.
> 2016/11/17 19:59:38 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new
> client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 19:59:39 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
> generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12
> 2016/11/17 19:59:39 INFO [main]
> org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
> standalone completed successfully
> hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT
> (master) alopresto
> 🔓 4s @ 19:59:40 $
> {code}
> If the application is started in 128-bit mode with the {{keystore.p12}} using
> a keystore password >= 8 characters, the following error will be printed in
> {{$NIFI_HOME/logs/nifi-app.log}}:
> {code}
> org.apache.nifi.web.NiFiCoreException: Unable to start Flow Controller.
> at
> org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93)
> ~[na:na]
> at
> org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:837)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:533)
> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:810)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345)
> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404)
> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366)
> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
> ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520)
> ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:231)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at org.eclipse.jetty.server.Server.start(Server.java:411)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at org.eclipse.jetty.server.Server.doStart(Server.java:378)
> [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675)
> [nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at org.apache.nifi.NiFi.<init>(NiFi.java:156)
> [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at org.apache.nifi.NiFi.main(NiFi.java:262)
> [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> Caused by: org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'flowService': FactoryBean threw exception on object
> creation; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'flowController': FactoryBean threw exception on object creation;
> nested exception is
> org.apache.nifi.framework.security.util.SslContextCreationException:
> java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
> ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:52)
> ~[na:na]
> ... 28 common frames omitted
> Caused by: org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'flowController': FactoryBean threw exception on
> object creation; nested exception is
> org.apache.nifi.framework.security.util.SslContextCreationException:
> java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060)
> ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> at
> org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48)
> ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> ... 34 common frames omitted
> Caused by:
> org.apache.nifi.framework.security.util.SslContextCreationException:
> java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> at
> org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:106)
> ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at
> org.apache.nifi.controller.FlowController.<init>(FlowController.java:440)
> ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at
> org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375)
> ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at
> org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74)
> ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168)
> ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE]
> ... 41 common frames omitted
> Caused by: java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown
> Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
> Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
> at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
> at
> org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:86)
> ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> ... 45 common frames omitted
> 2016-11-17 18:35:17,830 INFO [main] /nifi-content-viewer No Spring
> WebApplicationInitializer types detected on classpath
> 2016-11-17 18:35:17,833 INFO [main] o.e.jetty.server.handler.ContextHandler
> Started
> o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-content-viewer-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:17,836 INFO [main] o.e.jetty.server.handler.ContextHandler
> Started o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,AVAILABLE}
> 2016-11-17 18:35:17,907 INFO [main] /nifi-docs No Spring
> WebApplicationInitializer types detected on classpath
> 2016-11-17 18:35:17,909 INFO [main] o.e.jetty.server.handler.ContextHandler
> Started
> o.e.j.w.WebAppContext@7585531b{/nifi-docs,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-docs-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:17,969 INFO [main] / No Spring WebApplicationInitializer
> types detected on classpath
> 2016-11-17 18:35:17,972 INFO [main] o.e.jetty.server.handler.ContextHandler
> Started
> o.e.j.w.WebAppContext@6fb8cfa7{/,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-error-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:17,990 WARN [main] org.apache.nifi.web.server.JettyServer
> Failed to start web server... shutting down.
> java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown
> Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
> at
> org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown
> Source) ~[bcprov-jdk15on-1.55.jar:1.55.0]
> at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77]
> at
> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1027)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:333)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at org.eclipse.jetty.server.Server.doStart(Server.java:390)
> ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517]
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517]
> at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675)
> ~[nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at org.apache.nifi.NiFi.<init>(NiFi.java:156)
> [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> at org.apache.nifi.NiFi.main(NiFi.java:262)
> [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT]
> 2016-11-17 18:35:17,991 INFO [Thread-1] org.apache.nifi.NiFi Initiating
> shutdown of Jetty web server...
> 2016-11-17 18:35:17,996 INFO [Thread-1]
> o.eclipse.jetty.server.AbstractConnector Stopped
> ServerConnector@464f12de{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
> 2016-11-17 18:35:18,003 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@6fb8cfa7{/,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,006 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@7585531b{/nifi-docs,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,006 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,UNAVAILABLE}
> 2016-11-17 18:35:18,010 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,011 INFO [Thread-1]
> o.a.n.w.c.ApplicationStartupContextListener Initiating shutdown of flow
> service...
> 2016-11-17 18:35:18,018 WARN [Thread-1]
> o.a.n.w.c.ApplicationStartupContextListener Problem occurred ensuring flow
> controller or repository was properly terminated due to
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'flowService': FactoryBean threw exception on object creation;
> nested exception is org.springframework.beans.factory.BeanCreationException:
> Error creating bean with name 'flowController': FactoryBean threw exception
> on object creation; nested exception is
> org.apache.nifi.framework.security.util.SslContextCreationException:
> java.io.IOException: exception decrypting data -
> java.security.InvalidKeyException: Illegal key size
> 2016-11-17 18:35:18,018 INFO [Thread-1] /nifi-api Closing Spring root
> WebApplicationContext
> 2016-11-17 18:35:18,075 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@814b60b{/nifi-api,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-api-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,206 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@5112b7{/nifi,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-ui-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,213 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@4fd80300{/nifi-update-attribute-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-update-attribute-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-update-attribute-ui-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,218 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@4baf997{/nifi-standard-content-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-standard-content-viewer-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,236 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@750cd36d{/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,239 INFO [Thread-1]
> o.e.jetty.server.handler.ContextHandler Stopped
> o.e.j.w.WebAppContext@3a0896b3{/nifi-image-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-media-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-image-viewer-1.1.0-SNAPSHOT.war}
> 2016-11-17 18:35:18,241 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server
> shutdown completed (nicely or otherwise).
> {code}
> We should catch the illegal key size exception and print a more helpful error
> message, as the toolkit does. We should also investigate if the recent change
> affected prior behavior by changing how BouncyCastle was used to handle
> keystores. Most users use JKS keystores, but some choose PKCS12. PKCS12
> should be discouraged as a format for keystores and truststores in NiFi as it
> is overly complex and unnecessary.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
