I am trying to ssh using sshj java library to an ec2 redhat instance with the ppk file,I am getting InvalidKeySpecException . Where as i am able to successfully ssh to other machines with same ppk.
I guess i am missing some configuration in the ec2 instance any help will be appreciated .
Note : I am able to do ssh to the machine in question via putty.
below is the stack trace i am getting in the application:
net.schmizz.sshj.transport.TransportException: java.security.spec.InvalidKeySpecException: key spec not recognised
at net.schmizz.sshj.transport.TransportException$1.chain(TransportException.java:33)
at net.schmizz.sshj.transport.TransportException$1.chain(TransportException.java:27)
at net.schmizz.concurrent.Promise.deliverError(Promise.java:95)
at net.schmizz.concurrent.Event.deliverError(Event.java:74)
at net.schmizz.concurrent.ErrorDeliveryUtil.alertEvents(ErrorDeliveryUtil.java:34)
at net.schmizz.sshj.transport.KeyExchanger.notifyError(KeyExchanger.java:386)
at net.schmizz.sshj.transport.TransportImpl.die(TransportImpl.java:600)
at net.schmizz.sshj.transport.Reader.run(Reader.java:67)
Caused by: net.schmizz.sshj.common.SSHException: java.security.spec.InvalidKeySpecException: key spec not recognised
at net.schmizz.sshj.common.SSHException$1.chain(SSHException.java:36)
at net.schmizz.sshj.common.SSHException$1.chain(SSHException.java:29)
at net.schmizz.sshj.transport.TransportImpl.die(TransportImpl.java:595)
... 1 common frames omitted
Caused by: net.schmizz.sshj.common.SSHRuntimeException: java.security.spec.InvalidKeySpecException: key spec not recognised
at net.schmizz.sshj.common.Buffer.readPublicKey(Buffer.java:466)
at net.schmizz.sshj.transport.kex.AbstractDHG.next(AbstractDHG.java:66)
at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:358)
at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:503)
at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:102)
at net.schmizz.sshj.transport.Decoder.received(Decoder.java:170)
at net.schmizz.sshj.transport.Reader.run(Reader.java:59)
Caused by: java.security.GeneralSecurityException: java.security.spec.InvalidKeySpecException: key spec not recognised
at net.schmizz.sshj.common.ECDSAVariationsAdapter.readPubKeyFromBuffer(ECDSAVariationsAdapter.java:92)
at net.schmizz.sshj.common.KeyType$3.readPubKeyFromBuffer(KeyType.java:113)
at net.schmizz.sshj.common.Buffer.readPublicKey(Buffer.java:464)
... 6 common frames omitted
Caused by: java.security.spec.InvalidKeySpecException: key spec not recognised
at org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic(Unknown Source)
at org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi.engineGeneratePublic(Unknown Source)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
at net.schmizz.sshj.common.ECDSAVariationsAdapter.readPubKeyFromBuffer(ECDSAVariationsAdapter.java:90)
... 8 common frames omitted
The ppk file is a Putty private key file, which is not compatible with the OpenSSH formats that are supported by SSHJ. You can convert your ppk file to be used by SSHJ using the following command: puttygen <keyfile>.ppk -O private-openssh -o <outfile>
This one was pretty tricky, the sshj library uses the ssh-rsa algorithm.
So we need to add the ssh-rsa algorithm in ec2 instance.
steps:
Edit the file /etc/ssh/sshd_config.
Add the entry HostKeyAlgorithms ssh-rsa
it started working after that.
Related
we have defined the following in .ini file:
Assigned Values:
opendistro_security.ssl.http.enabled= True
Kesystore type = PKCS12
keystore_filepath = /relativepath.pfx
truststore_type = PKCS12
truststore-filepath =/relativepath.pfx
opendistro_security.ssl.transport.keystore_password=""
opendistro_security.ssl.transport.truststore_password=""
We are getting below error message when we execute .Net application:
Error:
Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer: java.io.IOException: keystore password was incorrect
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Resolutions we tried:
Changed different passwords of Pfx as well as defined in setting_override.ini (eg. “changeit”). Also added Pfx file to respective directory.
Checked PFX file by both import/ export by creating new password and also added that in MMC and checked.
Added default password for Truststore type and Keystore Type as per the this URL
Placed Pfx file inside config folder of Elastic Search
But still we are facing issue.
In this URL they have mentioned the following settings such as:
ELASTIC_PASSWORD=password
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.http.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.http.ssl.keystore.password=password
- xpack.security.http.ssl.truststore.password=password
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=/usr/share/elasticsearch/config/elastic-certificates.p12
- xpack.security.transport.ssl.keystore.password=password
- xpack.security.transport.ssl.truststore.password=password
Queries:
Do we need to mention all this settings for our application?
Is the above setting applicable for XPack (or) it will get applicable for Open Distro also?
Is elastic search will have separate password? If so where can we check password related to Elastic Search?
Do we need to assign same password of Elastic search to Truststore type and Key store type?
I have configured spring boot application to take properties from my environment but strangely I am facing an error while starting my application.
I have added the properties in my ~/.bash_profile and also did source ~/.bash_profile after adding them to the profile.
This is how my bootstrap.properties look like:
spring.application.name=gamification
spring.cloud.vault.enabled=${VAULT_ENABLE:true}
spring.cloud.vault.fail-fast=false
spring.cloud.vault.token=${VAULT_TOKEN}
spring.cloud.vault.scheme=${VAULT_SCHEME}
spring.cloud.vault.host=${VAULT_HOST}
spring.cloud.vault.port=${VAULT_PORT:8200}
I am getting this error:
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.cloud.vault.config.VaultReactiveBootstrapConfiguration]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: Scheme must be http or https
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:216) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:117) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:310) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
... 30 common frames omitted
Caused by: java.lang.IllegalArgumentException: Scheme must be http or https
at org.springframework.util.Assert.isTrue(Assert.java:118) ~[spring-core-5.2.4.RELEASE.jar:5.2.4.RELEASE]
at org.springframework.vault.client.VaultEndpoint.setScheme(VaultEndpoint.java:167) ~[spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.cloud.vault.config.VaultConfigurationUtil.createVaultEndpoint(VaultConfigurationUtil.java:91) ~[spring-cloud-vault-config-2.2.2.RELEASE.jar:2.2.2.RELEASE]
at org.springframework.cloud.vault.config.VaultReactiveBootstrapConfiguration.<init>(VaultReactiveBootstrapConfiguration.java:110) ~[spring-cloud-vault-config-2.2.2.RELEASE.jar:2.2.2.RELEASE]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_231]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_231]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_231]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_231]
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:203) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
... 32 common frames omitted
I added a debug point in Vault Endpoint and found this:
Here as you can see, the VAULT_HOST is being taken as VAULT_HOST instead of the value of that environment variable, and same with the VAULT_SCHEME
[EDIT]
Adding bash_profile vault configuration:
export VAULT_ENABLE=true
export VAULT_SCHEME=http
export VAULT_HOST=vault-1.dev.lokal
export VAULT_PORT=8200
export VAULT_TOKEN=5F97X
[EDIT #2]
Tried out the solution suggested by #Gopinath
I am getting environment as null when trying to autowire it
The root cause of the problem can be found form this error message:
org.springframework.core.convert.ConverterNotFoundException:
No converter found capable of converting
from type [java.lang.String]
to type [org.springframework.cloud.vault.config.VaultProperties$Config]
The above message indicates that the VaultProperties object could not be initialized using the string parameter supplied.
Here is the link to documentation and instructions on configuring VaultProperties:
https://spring.io/guides/gs/vault-config/
Some more information to help understand vault:
References:
Spring Cloud Vault: https://cloud.spring.io/spring-cloud-vault/
Hashicorp Vault: https://www.vaultproject.io
What is a Vault?
A vault is a secure storage space meant for storing secret information.
Hashicorp Vault is one tool that offers vault functionality for cloud applications.
What is Spring Boot Vault?
Spring Boot applications commonly require secret information for those to work.
Some examples of secret information are:
Database password
Private key
API key
Usually, the input parameters are passed to Spring boot application through the
"application.properties" file or "bootstrap.properties" file.
The use of such properties file poses a security risk, if secret data is directly mentioned in the file.
Spring Boot Vault addresses this risk.
It pulls secret information from vault and supplies to the application at the start-up time.
The .properties file will only tell the application the names of parameters that it can expect from Vault.
The actual values of the parameters will be taken from vault.
How to setup Vault?
Step 1: Install and launch HashiCorp Vault from
https://www.vaultproject.io/downloads.html:
Step 2: After installing Vault, test whether it works, by launching
it in a console window.
> vault server --dev --dev-root-token-id="spring-boot-vault-demo"
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.4.1
WARNING! dev mode is enabled!
.....
You may need to set the following environment variable:
PowerShell:
$env:VAULT_ADDR="http://127.0.0.1:8200"
cmd.exe:
set VAULT_ADDR=http://127.0.0.1:8200
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: +Dihvgj/oRN2zo6/97ZqpWt086/CFRZEPkuauDu4uQo=
Root Token: spring-boot-vault-demo
Step 3: Store some secret data in the vault,
by running these commands in a separate command window:
> set VAULT_ADDR=http://127.0.0.1:8200
> set VAULT_TOKEN=spring-boot-vault-demo
> vault kv put secret/spring-boot-vault-demo password=££££$$$$%%%%
Key Value
--- -----
created_time 2020-05-02T09:59:41.2233332Z
deletion_time n/a
destroyed false
version 1
I did this:
I made a shell script called setenv.sh and put this under it:
#!/bin/bash
launchctl setenv VAULT_ENABLE true
launchctl setenv VAULT_SCHEME http
launchctl setenv VAULT_HOST vault-1.dev.lokal
launchctl setenv VAULT_PORT 8200
launchctl setenv VAULT_TOKEN 5F97X
And then, before starting the application I ran the shell script with
sudo sh setenv.sh
And the application seems to work fine without any errors. Strangely if I do it with my previous approach of adding the env variables inside the .bash_profile, it doesn't work.
I am trying to have my application authenticate using AD credentials. I am using kinit to test after creating the krb5.ini file. I believe all the realm information is correct in the ini file but continue to receive the below error when testing with kinit.
Exception: krb_error 0 Cannot find any provider supporting ARCFOUR No error
KrbException: Cannot find any provider supporting ARCFOUR
at
sun.security.krb5.internal.crypto.ArcFourHmacEType.encrypt(ArcFourHm
cEType.java:68)
at
sun.security.krb5.internal.crypto.ArcFourHmacEType.encrypt(ArcFourHm
cEType.java:60)
at sun.security.krb5.EncryptedData.<init>(EncryptedData.java:122)
at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:355)
at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:180)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:253)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider
suporting ARCFOUR
at javax.crypto.Cipher.getInstance(DashoA13*..)
at
sun.security.krb5.internal.crypto.dk.ArcFourCrypto.encrypt(ArcFourCrpto.java:279)
You need to enable RC4-HMAC in both your krb5.ini config and the conf/security/java.security
I think RC4 got blacklisted in Oracle JDK (>= 1.8.u060) for known insecurities together with MD5, but it is strictly required for key exchange by the MS Active Directory Kerberos implementation.
Maybe you have to re-enable it by removing RC4 from jdk.tls.disabledAlgorithms and jdk.certpath.disabledAlgorithms of your JDKs conf/security/java.security.
See https://www.java.com/en/configure_crypto.html for more information.
I'm trying to connect to IBM WAS from local machine. I'm trying to connect to server using following code:
Properties Props = new Properties()
Props.setProperty(AdminClient.CONNECTOR_TYPE,
AdminClient.CONNECTOR_TYPE_SOAP)
Props.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true")
Props.setProperty(AdminClient.CACHE_DISABLED, "false")
Props.setProperty("javax.net.ssl.trustStore", "WebAS")
Props.setProperty("javax.net.ssl.trustStorePassword", "WebAS")
Props.setProperty(AdminClient.CONNECTOR_HOST, "127.0.0.1")
Props.setProperty(AdminClient.CONNECTOR_PORT, "9060")
Props.setProperty(AdminClient.USERNAME, "user")
Props.setProperty(AdminClient.PASSWORD, "password")
System.setProperty("com.ibm.SSL.ConfigURL", /specified location of
file/ "ssl.client.props") Props.setProperty("com.ibm.SSL.ConfigURL",
/specified location of file/ "ssl.client.props") //I generated
keystore.jks `
Props.setProperty("javax.net.ssl.trustStore",directory.toURI().toURL()+"keystore.jks"
); Props.setProperty("javax.net.ssl.keyStore",
directory.toURI().toURL()+"keystore.jks");
this.adminClient=AdminClientFactory.createAdminClient(Props)
When run the following code, I get following error
com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host 127.0.0.1 at port 9043.
Caused by: java.lang.reflect.InvocationTargetException
Caused by: java.lang.NoClassDefFoundError: com/ibm/security/certclient/util/PkSsCertFactory
Caused by: java.lang.ClassNotFoundException: com.ibm.security.certclient.util.PkSsCertFactory
I looked up for classname: com.ibm.security.certclient.util.PkSsCertFactory to include. I cannot find neither the IBM jar file or groupId, artifact id, version. Please help me out
Export the dmgr's CA certificate to nodes truststore and give a try.
As I can see your node agent is taking port 9043 to connect to dmgr, if all configurations made are default, then this should not happen.
please check your nodes and dmgrs serverindex.xml file.
I'm trying to get sonar to work on OpenShift. When i try to use environment variables in the sonar.properties file they are not resolved by sonar.
The results look something like:
2013.06.18 17:22:19 INFO o.s.c.p.Database Create JDBC datasource for jdbc:mysql://${env:OPENSHIFT_MYSQL_IP}:${env:OPENSHIFT_MYSQL_PORT}/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true
2013.06.18 17:22:20 ERROR o.s.c.p.Database Can not connect to database. Please check connectivity and settings (see the properties prefixed by 'sonar.jdbc.').
org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "OPENSHIFT_MYSQL_IP}:${env:OPENSHIFT_MYSQL_PORT}"'.)
at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549) ~[commons-dbcp-1.3.jar:1.3]
at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388) ~[commons-dbcp-1.3.jar:1.3]
at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044) ~[commons-dbcp-1.3.jar:1.3]
at org.sonar.core.persistence.DefaultDatabase.checkConnection(DefaultDatabase.java:140) [sonar-core-3.5.1.jar:na]
at org.sonar.core.persistence.DefaultDatabase.start(DefaultDatabase.java:69) [sonar-core-3.5.1.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_19]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_19]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_19]
at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_19]
I'm trying to understand how the variable resolution in sonar works so i can begin to figure out what is wrong on OpenShift.
I was able to get Sonar running using git://github.com/wenhao/openshift-sonar.git with a slight modification:
deleted the default jbossews sample app (git rm -r pom.xml src/ webapps/ROOT.war
only copied over the ROOT/ , sonar-3.3.1/ , and .openshift/action_hooks/pre_start_jbossews-1.0 from the repo
renamed pre_start_jbossews-1.0 to pre_start_jbossews (due to changes in v2 cartridge renaming)
modified ROOT/WEB-INF/classes/sonar-war.properties:
#SONAR_HOME=${env:OPENSHIFT_REPO_DIR}/webapps/sonar-3.3.1
SONAR_HOME=/var/lib/openshift/51c0c3c1e0b8cd74800000dc/app-root/repo/webapps/sonar-3.3.1
git add .
git commit/push
I'm not quite sure why ROOT/WEB-INF/classes/sonar-war.properties doesn't resolve the env variable, but sonar-3.3.1/conf/sonar.properties resolves them just fine:
sonar.jdbc.username: ${env:OPENSHIFT_MYSQL_DB_USERNAME}
sonar.jdbc.password: ${env:OPENSHIFT_MYSQL_DB_PASSWORD}