Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-9331

Enabling CSV tamper prevention through the Admin UI may fail with a keystore password error

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 5.5.0, OpenIDM 6.0.0
    • Fix Version/s: 6.5.0
    • Component/s: Module - Audit
    • Environment:
      IDM 5.5.0 build 9ef5f6f runs on a CentOS7, MySQL as repo, Java8.
      Access admin UI using Chrome 60.0.3112.113 from Mac
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      OpenIDM Sprint 85, OpenIDM Sprint 6.5-1

      Description

      When tried to config CSV tamper prevention using keystore filename and password, submit and save changes from UI may fail with an error below and would disable audit service:

      Sep 21, 2017 4:10:33 PM org.forgerock.security.keystore.KeyStoreBuilder build
      SEVERE: Error loading keystore
      java.io.IOException: Keystore was tampered with, or password was incorrect
              at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:865)
              at java.security.KeyStore.load(KeyStore.java:1445)
              at org.forgerock.security.keystore.KeyStoreBuilder.build(KeyStoreBuilder.java:245)
              at org.forgerock.audit.secure.JcaKeyStoreHandler.init(JcaKeyStoreHandler.java:66)
              at org.forgerock.audit.secure.JcaKeyStoreHandler.<init>(JcaKeyStoreHandler.java:51)
              at org.forgerock.audit.handlers.csv.SecureCsvWriter.<init>(SecureCsvWriter.java:108)
              at org.forgerock.audit.handlers.csv.CsvAuditEventHandler.createCsvWriter(CsvAuditEventHandler.java:341)
              at org.forgerock.audit.handlers.csv.CsvAuditEventHandler.openWriter(CsvAuditEventHandler.java:333)
              at org.forgerock.audit.handlers.csv.CsvAuditEventHandler.startup(CsvAuditEventHandler.java:220)
              at org.forgerock.audit.AuditServiceImpl.startup(AuditServiceImpl.java:399)
              at org.forgerock.audit.AuditServiceProxy.setDelegate(AuditServiceProxy.java:89)
              at org.forgerock.openidm.audit.impl.AuditServiceImpl.activate(AuditServiceImpl.java:344)
              at org.forgerock.openidm.audit.impl.AuditServiceImpl.modified(AuditServiceImpl.java:388)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.apache.felix.scr.impl.inject.BaseMethod.invokeMethod(BaseMethod.java:224)
              at org.apache.felix.scr.impl.inject.BaseMethod.access$500(BaseMethod.java:39)
              at org.apache.felix.scr.impl.inject.BaseMethod$Resolved.invoke(BaseMethod.java:617)
              at org.apache.felix.scr.impl.inject.BaseMethod.invoke(BaseMethod.java:501)
              at org.apache.felix.scr.impl.inject.ActivateMethod.invoke(ActivateMethod.java:302)
              at org.apache.felix.scr.impl.inject.ActivateMethod.invoke(ActivateMethod.java:294)
              at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:772)
              at org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:727)
              at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:645)
              at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:609)
              at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:426)
              at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:273)
              at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:2074)
      at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:2042)
              at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:141)
              at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:109)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.UnrecoverableKeyException: Password verification failed
              ... 34 more
      

      The complete IDM log is attached. It doesn't always happen, occurred twice in 4 tries. Worked with JasonL and decrypted the configured password using curl command and it was correct password.

      To reproduce:
      1. Start IDM, I used Pyforge and IDM sample sync-with-ldap and let IDM running after test finish(by commenting out Suite Teardown in ReconLDAPToManUser.robot), start test:

      python -u run-pybot.py -c stress  -s *ReconLDAPToManUser -t time_and_throughput_for_recon_create OpenIDM
      

      2. setup keys for the feature by following: https://ea.forgerock.com/docs/openidm/doc/integrators-guide/index.html#tamper-evident-operation.
      3. Configure CSV tamper prevention feature on admin UI using keystore filename and password(audit.json is attached).
      4. submit and save changes and observe the symptom.

        Attachments

        1. audit.json
          6 kB
        2. audit.json
          5 kB
        3. openidm0.log.0
          84 kB
        4. openidm0.log.1
          943 kB

          Issue Links

            Activity

              People

              • Assignee:
                whitney.hunter Whitney Hunter [X] (Inactive)
                Reporter:
                Tinghua.Xu Tinghua.Xu
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: