Java Version Check before Generating Java Key Stores

[andrewegel]

Description

My "default" java was java11/16 (something NOT java8). This generates Java Keystores with an algorithm that Java8 inside the containers doesn't understand - This is the exception I saw the kafka brokers throwing:

kafka1            | Caused by: org.apache.zookeeper.common.X509Exception$KeyManagerException: java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
kafka1            |     at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:417)
kafka1            |     at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:334)
kafka1            |     ... 22 more
kafka1            | Caused by: java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
kafka1            |     at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2167)
kafka1            |     at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
kafka1            |     at java.base/java.security.KeyStore.load(KeyStore.java:1479)
kafka1            |     at org.apache.zookeeper.common.StandardTypeFileKeyStoreLoader.loadKeyStore(StandardTypeFileKeyStoreLoader.java:48)
kafka1            |     at org.apache.zookeeper.common.X509Util.createKeyManager(X509Util.java:406)
kafka1            |     ... 23 more
kafka1            | Caused by: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
kafka1            |     at java.base/javax.crypto.Mac.getInstance(Mac.java:191)
kafka1            |     at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2145)
kafka1            |     ... 27 more

If I tear down, destroy the certs & keystores created, then set JAVA_HOME=/path/to/a/java/8/Home, and re-run the start.sh script, then things work. A couple of suggested improvements:

• Do a java version check and throw at least a warning that this isn't advisable.
• Enforce the Hmac algorithm that java8 supports when creating the java key-stores.

Troubleshooting Validate every step in the troubleshooting section: https://docs.confluent.io/platform/current/tutorials/cp-demo/docs/index.html#troubleshooting => Nothing about java.security.NoSuchAlgorithmException

Identify any existing issues that seem related: https://github.com/confluentinc/cp-demo/issues?q=is%3Aissue => Searched for NoSuchAlgorithmException or HmacPBESHA256 found nothing like this.

If applicable, please include the output of:

• docker-compose logs <container name> => see above
• any other relevant commands => None

Environment

• GitHub branch: all branches - Ive seen this occur as far back as CP 5.2
• Operating System: MacOS
• Version of Docker: irrelevant.
• Version of Docker Compose: irrelevant

[andrewegel]

Hmmm looks like https://github.com/confluentinc/cp-demo/issues/367 follows the same line of reasoning, though my error is different. So I'll just close this as a "pointer" to https://github.com/confluentinc/cp-demo/issues/367