Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Information Provided
-
1.0.0
-
None
Description
scottyaslan discovered an edge case introduced in NIFI-2943 – on a system without the JCE unlimited strength cryptographic jurisdiction policies installed, a PKCS12 keystore with a password longer than 7 characters will fail at start-up. Though this issue is captured when using the TLS Toolkit to generate a keystore (or a client certificate, which is stored in a PKCS12 keystore in order to include the private key), a user could have manually generated a PKCS12 keystore with a password longer than 7 characters using openssl but will not be able to use it in NiFi without installing the JCE USC policies.
Example output from TLS toolkit in 128-bit mode:
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto 🔒 76s @ 19:48:16 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password 2016/11/17 19:48:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2016/11/17 19:48:43 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT 2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key 2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration. 2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: ********************************************************************************** 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: WARNING!!!! 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: ********************************************************************************** 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Unlimited JCE Policy is not installed which means we cannot utilize a 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: PKCS12 password longer than 7 characters. 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Autogenerated password has been reduced to 7 characters. 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Please strongly consider installing Unlimited JCE Policy at 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: Another alternative is to add a stronger password with the openssl tool to the 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: resulting client certificate: ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -in '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' -out '/tmp/CN=test.p12' 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: openssl pkcs12 -export -in '/tmp/CN=test.p12' -out '../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12' 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: rm -f '/tmp/CN=test.p12' 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: 2016/11/17 19:48:44 WARN [main] org.apache.nifi.toolkit.tls.util.TlsHelper: ********************************************************************************** 2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 2016/11/17 19:48:44 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto 🔒 28s @ 19:48:45 $
Example output from TLS toolkit in 256-bit mode:
hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto 🔒 320s @ 19:55:16 $ jce_unlimited Enabling JCE unlimited strength crypto policy /Users/alopresto/Desktop/security/unlimited/US_export_policy.jar -> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./US_export_policy.jar /Users/alopresto/Desktop/security/unlimited/local_policy.jar -> /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre/lib/security/./local_policy.jar hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto 🔓 235s @ 19:59:12 $ ./bin/tls-toolkit.sh standalone -C 'CN=test' -P password 2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: No nifiPropertiesFile specified, using embedded one. 2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone certificate generation with output directory ../nifi-toolkit-1.1.0-SNAPSHOT 2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA certificate ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-cert.pem and key ../nifi-toolkit-1.1.0-SNAPSHOT/nifi-key.key 2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No hostnames specified, not generating any host certificates or configuration. 2016/11/17 19:59:38 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generating new client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 2016/11/17 19:59:39 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully generated client certificate ../nifi-toolkit-1.1.0-SNAPSHOT/CN=test.p12 2016/11/17 19:59:39 INFO [main] org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit standalone completed successfully hw12203:...assembly/target/nifi-toolkit-1.1.0-SNAPSHOT-bin/nifi-toolkit-1.1.0-SNAPSHOT (master) alopresto 🔓 4s @ 19:59:40 $
If the application is started in 128-bit mode with the keystore.p12 using a keystore password >= 8 characters, the following error will be printed in $NIFI_HOME/logs/nifi-app.log:
org.apache.nifi.web.NiFiCoreException: Unable to start Flow Controller. at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:93) ~[na:na] at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:837) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:533) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:810) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:345) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:772) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262) ~[jetty-servlet-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520) ~[jetty-webapp-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:231) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.Server.start(Server.java:411) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:106) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.Server.doStart(Server.java:378) [jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675) [nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.NiFi.<init>(NiFi.java:156) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.NiFi.main(NiFi.java:262) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.apache.nifi.web.contextlistener.ApplicationStartupContextListener.contextInitialized(ApplicationStartupContextListener.java:52) ~[na:na] ... 28 common frames omitted Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:175) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:103) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1585) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:317) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1060) ~[spring-context-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.apache.nifi.spring.StandardFlowServiceFactoryBean.getObject(StandardFlowServiceFactoryBean.java:48) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] ... 34 common frames omitted Caused by: org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size at org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:106) ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.controller.FlowController.<init>(FlowController.java:440) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.controller.FlowController.createStandaloneInstance(FlowController.java:375) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.spring.FlowControllerFactoryBean.getObject(FlowControllerFactoryBean.java:74) ~[nifi-framework-core-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:168) ~[spring-beans-4.2.4.RELEASE.jar:4.2.4.RELEASE] ... 41 common frames omitted Caused by: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0] at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77] at org.apache.nifi.framework.security.util.SslContextFactory.createSslContext(SslContextFactory.java:86) ~[nifi-security-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] ... 45 common frames omitted 2016-11-17 18:35:17,830 INFO [main] /nifi-content-viewer No Spring WebApplicationInitializer types detected on classpath 2016-11-17 18:35:17,833 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-content-viewer-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:17,836 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,AVAILABLE} 2016-11-17 18:35:17,907 INFO [main] /nifi-docs No Spring WebApplicationInitializer types detected on classpath 2016-11-17 18:35:17,909 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@7585531b{/nifi-docs,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-docs-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:17,969 INFO [main] / No Spring WebApplicationInitializer types detected on classpath 2016-11-17 18:35:17,972 INFO [main] o.e.jetty.server.handler.ContextHandler Started o.e.j.w.WebAppContext@6fb8cfa7{/,file:///Users/scottyaslan/nifi/nifi-assembly/target/nifi-1.1.0-SNAPSHOT-bin/nifi-1.1.0-SNAPSHOT/work/jetty/nifi-web-error-1.1.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:17,990 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down. java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0] at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source) ~[bcprov-jdk15on-1.55.jar:1.55.0] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_77] at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1027) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:333) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.server.Server.doStart(Server.java:390) ~[jetty-server-9.3.9.v20160517.jar:9.3.9.v20160517] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) ~[jetty-util-9.3.9.v20160517.jar:9.3.9.v20160517] at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:675) ~[nifi-jetty-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.NiFi.<init>(NiFi.java:156) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] at org.apache.nifi.NiFi.main(NiFi.java:262) [nifi-runtime-1.1.0-SNAPSHOT.jar:1.1.0-SNAPSHOT] 2016-11-17 18:35:17,991 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server... 2016-11-17 18:35:17,996 INFO [Thread-1] o.eclipse.jetty.server.AbstractConnector Stopped ServerConnector@464f12de{SSL,[ssl, http/1.1]}{0.0.0.0:8443} 2016-11-17 18:35:18,003 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@6fb8cfa7{/,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-error-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@7585531b{/nifi-docs,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-docs-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,006 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.s.h.ContextHandler@11a9f958{/nifi-docs,null,UNAVAILABLE} 2016-11-17 18:35:18,010 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@26c84006{/nifi-content-viewer,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-content-viewer-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,011 INFO [Thread-1] o.a.n.w.c.ApplicationStartupContextListener Initiating shutdown of flow service... 2016-11-17 18:35:18,018 WARN [Thread-1] o.a.n.w.c.ApplicationStartupContextListener Problem occurred ensuring flow controller or repository was properly terminated due to org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowService': FactoryBean threw exception on object creation; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'flowController': FactoryBean threw exception on object creation; nested exception is org.apache.nifi.framework.security.util.SslContextCreationException: java.io.IOException: exception decrypting data - java.security.InvalidKeyException: Illegal key size 2016-11-17 18:35:18,018 INFO [Thread-1] /nifi-api Closing Spring root WebApplicationContext 2016-11-17 18:35:18,075 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@814b60b{/nifi-api,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-api-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,206 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@5112b7{/nifi,null,UNAVAILABLE}{./work/nar/framework/nifi-framework-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-web-ui-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,213 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@4fd80300{/nifi-update-attribute-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-update-attribute-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-update-attribute-ui-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,218 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@4baf997{/nifi-standard-content-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-standard-content-viewer-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,236 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@750cd36d{/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-standard-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-jolt-transform-json-ui-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,239 INFO [Thread-1] o.e.jetty.server.handler.ContextHandler Stopped o.e.j.w.WebAppContext@3a0896b3{/nifi-image-viewer-1.1.0-SNAPSHOT,null,UNAVAILABLE}{./work/nar/extensions/nifi-media-nar-1.1.0-SNAPSHOT.nar-unpacked/META-INF/bundled-dependencies/nifi-image-viewer-1.1.0-SNAPSHOT.war} 2016-11-17 18:35:18,241 INFO [Thread-1] org.apache.nifi.NiFi Jetty web server shutdown completed (nicely or otherwise).
We should catch the illegal key size exception and print a more helpful error message, as the toolkit does. We should also investigate if the recent change affected prior behavior by changing how BouncyCastle was used to handle keystores. Most users use JKS keystores, but some choose PKCS12. PKCS12 should be discouraged as a format for keystores and truststores in NiFi as it is overly complex and unnecessary.
Attachments
Issue Links
- Is contained by
-
NIFI-5458 Improve NiFi TLS and certificate management
- Resolved