I want to use asymmetric encryption for my Spring Cloud Config server which runs in docker. Spring Boot version: 2.4.4 Spring Cloud Config:
Symmetric encryption worked both running the app from intellij and from docker
Asymmetric encryption makes me trouble, but only when running the configserver from docker.
Running from intellij it worked:
Running configserver in docker gives me troubles.
Generate the jks:
keytool -genkeypair -alias myKeystoreSecret -keyalg RSA -dname "CN=John Doe,OU=my_unit,O=my_organization,L=Dallas,S=Texas,C=US" -validity 365 -keypass myStrongPass1 -keystore scc.jks -storepass myStrongPass1
Check the jks: keytool -list -v -keystore scc.jks
bootstrap.yml
encrypt:
key-store:
location: ${KEYSTORE_LOCATION}
password: ${KEYSTORE_PASSWORD}
alias: ${KEYSTORE_ALIAS}
Env. file (scc_env.txt):
KEYSTORE_LOCATION=classpath:scc.jks
KEYSTORE_PASSWORD=myStrongPass1
KEYSTORE_ALIAS=myKeystoreSecret
Dockerfile:
FROM openjdk:11-jre-slim
WORKDIR /project
COPY ./target/*.jar ./app.jar
EXPOSE 8888
ENTRYPOINT ["java", "-jar", "/project/app.jar"]
I use openjdk11 so that I could also use JFR, which comes for free starting with openjdk 11.
Compose:
version: '3.1'
services:
configserver:
image: configserver:0.0.6
...
env_file:
- ../RESOURCES/scc_env.txt
Trying to encrypt a word: ``` ERROR 1 --- [nio-8888-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Cannot load keys from store: class path resource [scc.jks]] with root cause configserver | configserver | java.io.IOException: Invalid keystore format configserver | at java.base/sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) ~[na:na] configserver | at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[na:na] configserver | at java.base/java.security.KeyStore.load(Unknown Source) ~[na:na] configserver | at org.springframework.security.rsa.crypto.KeyStoreKeyFactory.getKeyPair(KeyStoreKeyFactory.java:70) ~[spring-security-rsa-1.0.9.RELEASE.jar!/:na] ...
**I specify the "type" in the bootstrap.yml:**
`encrypt.key-store.type: PKCS12`
Then try again to encrypt a word:
ERROR 1 --- [nio-8888-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: Cannot load keys from store: class path resource [scc.jks]] with root cause
configserver |
configserver | java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
configserver | at java.base/javax.crypto.Mac.getInstance(Unknown Source) ~[na:na]
configserver | at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) ~[na:na]
configserver | at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source) ~[na:na]
configserver | at java.base/java.security.KeyStore.load(Unknown Source) ~[na:na]
configserver | at org.springframework.security.rsa.crypto.KeyStoreKeyFactory.getKeyPair(KeyStoreKeyFactory.java:70) ~[spring-security-rsa-1.0.9.RELEASE.jar!/:na]
...
```
Create another jks from inside of the container & try to access it:
Comment From: techjourney010
It was the openjdk version havind issues, not SCC. For example with openjdk:16-slim it worked! I will close the issue since it is not a SCC issue