Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityUtility only prints Exception name without errorstack #30520

Open
wants to merge 4 commits into
base: integration
Choose a base branch
from
Open

SecurityUtility only prints Exception name without errorstack #30520

wants to merge 4 commits into from

Conversation

una-tapa
Copy link
Member

@una-tapa una-tapa commented Jan 9, 2025
edited
Loading

This PR enhances the serviceability of the securityUtility command. By adding a single line of code to each catch block, we enabled the printing of debug information, as reported by the user. This additional detail has proven invaluable in furthering our investigation. Resolving this issue took over a month, but these changes should significantly improve troubleshooting efficiency moving forward.

BEFORE

$ wlp/bin/securityUtility encode --encoding=aes Welcome1
Error: java.lang.NullPointerException
Usage:
securityUtility encode [options]
Description:
Encode the provided text.

AFTER

$ securityUtility encode --encoding=aes Welcome1"
DEBUG: Exception received. Below is a debug message
java.lang.NullPointerException
at com.ibm.ws.crypto.util.AESKeyManager.getKey(AESKeyManager.java:123)
at com.ibm.ws.crypto.util.PasswordCipherUtil.aesEncipherV0(PasswordCipherUtil.java:528)
at com.ibm.ws.crypto.util.PasswordCipherUtil.encipher_internal(PasswordCipherUtil.java:368)
at com.ibm.websphere.crypto.PasswordUtil.encode_password(PasswordUtil.java:705)
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:265)
at com.ibm.ws.security.utility.tasks.EncodeTask.encode(EncodeTask.java:110)
at com.ibm.ws.security.utility.tasks.EncodeTask.handleTask(EncodeTask.java:144)
at com.ibm.ws.security.utility.SecurityUtility.runProgram(SecurityUtility.java:145)
at com.ibm.ws.security.utility.SecurityUtility.main(SecurityUtility.java:187)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.ibm.ws.kernel.boot.cmdline.UtilityMain.internal_main(UtilityMain.java:175)
at com.ibm.ws.kernel.boot.cmdline.UtilityMain.main(UtilityMain.java:55)
at com.ibm.ws.kernel.boot.cmdline.Main.main(Main.java:54)

The above information let me to add code in AESKeyManager. It finally found that PBKDF2WithHmacSHA1 was disabled in their environment.

[DEBUG] Creating the new holder with alg=PBKDF2WithHmacSHA1 salt=[B@4b6995df iterations=84756 keyLength=128
[DEBUG] NoSuchAlgorithmException received. Returning null
java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA1 SecretKeyFactory not available
at javax.crypto.SecretKeyFactory.(SecretKeyFactory.java:122)
at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
at com.ibm.ws.crypto.util.AESKeyManager$KeyVersion.get(AESKeyManager.java:72)
at com.ibm.ws.crypto.util.AESKeyManager$KeyVersion.access$400(AESKeyManager.java:38)
at com.ibm.ws.crypto.util.AESKeyManager.getHolder(AESKeyManager.java:186)
at com.ibm.ws.crypto.util.AESKeyManager.getKey(AESKeyManager.java:155)
at com.ibm.ws.crypto.util.PasswordCipherUtil.aesEncipherV0(PasswordCipherUtil.java:528)
at com.ibm.ws.crypto.util.PasswordCipherUtil.encipher_internal(PasswordCipherUtil.java:368)
at com.ibm.websphere.crypto.PasswordUtil.encode_password(PasswordUtil.java:705)
at com.ibm.websphere.crypto.PasswordUtil.encode(PasswordUtil.java:265)

The user recently migrated from IBM Java 8 to Semeru 11, which disables PBKDF2WithHmacSHA1 in FIPS mode.
Workaround: https://www.ibm.com/support/pages/fips-certified-cryptography-ibm-semeru-runtimes

@una-tapa
Copy link
Member Author

una-tapa commented Jan 9, 2025
edited by LibbyBot
Loading

#build (view Open Liberty Personal Build - ❌ completed with errors/failures.)

Note: Target locations of links might be accessible only to IBM employees.

@una-tapa
Copy link
Member Author

una-tapa commented Jan 9, 2025
edited by LibbyBot
Loading

Updated the copyright and submitting the build again.
(view Open Liberty Personal Build - ❌ completed with errors/failures.)
#build

Note: Target locations of links might be accessible only to IBM employees.

@una-tapa
Copy link
Member Author

una-tapa commented Jan 9, 2025

Fixes #30521

@LibbyBot
Copy link

LibbyBot commented Jan 9, 2025

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 1 product code files were changed.
  • Please describe in a separate comment how you tested your changes.

@una-tapa una-tapa self-assigned this Jan 9, 2025
@una-tapa una-tapa added the serviceability Label used to track serviceability related issues label Jan 9, 2025
@una-tapa una-tapa linked an issue Jan 9, 2025 that may be closed by this pull request
securityUtility does not print out the error stack for RuntimeException #30521
Open
@una-tapa
Update SecurityUtility.java
95564c2 
Removing the printStackTrace from the IllegalArgumentException handling as it may have sufficient serviceability coverage. 
The challenge we are encountering is when the runtime exception is thrown.
@una-tapa
Copy link
Member Author

una-tapa commented Jan 10, 2025
edited by LibbyBot
Loading

#build (view Open Liberty Personal Build - ❌ completed with errors/failures.)

Note: Target locations of links might be accessible only to IBM employees.

@LibbyBot
Copy link

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 1 product code files were changed.
  • Please describe in a separate comment how you tested your changes.

@LibbyBot
Copy link

Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_CjfoEM9kEe-f-sI4gb7_Pw

Target locations of links might be accessible only to IBM employees.

@LibbyBot
Copy link

Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_mTjLEM9kEe-f-sI4gb7_Pw

Target locations of links might be accessible only to IBM employees.

@LibbyBot
Copy link

Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_rMNLkc_yEe-f-sI4gb7_Pw

Target locations of links might be accessible only to IBM employees.

@una-tapa una-tapa requested review from utle and removed request for utle January 13, 2025 16:09
@una-tapa
Copy link
Member Author

una-tapa commented Jan 14, 2025
edited by LibbyBot
Loading

#build (view Open Liberty Personal Build - ❌ completed with errors/failures.)

Note: Target locations of links might be accessible only to IBM employees.

@LibbyBot
Copy link

Code analysis and actions

DO NOT DELETE THIS COMMENT.
  • 2 product code files were changed.
  • Please describe in a separate comment how you tested your changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zech-Hein Zech-Hein Awaiting requested review from Zech-Hein

@NottyCode NottyCode Awaiting requested review from NottyCode

At least 1 approving review is required to merge this pull request.

Assignees

@una-tapa una-tapa

Labels
CLA Signed serviceability Label used to track serviceability related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

securityUtility does not print out the error stack for RuntimeException
2 participants
@una-tapa @LibbyBot