fabric:encrypt EncryptionOperationNotPossibleException

[abedwardsw]

Using Fuse6.1GA I am getting an exception following the section: "Setting encrypted PID property values" in the Fuse6.1 Fabric documentation. Would you be able to confirm if I missed something.

1. Prepare property values for storage in properties

JBossFuse:karaf@root> crypt-algorithm-get 
PBEWithMD5AndDES  
JBossFuse:karaf@root> crypt-password-get
admin
JBossFuse:karaf@root> encrypt-message foobar
Encrypting message foobar
 Using algorithm PBEWithMD5AndDES and password admin
 Result: xHBenqWFYDwvWiw2ys3o1Q==

1. create a properties file in fabric named org.crypt.test.properties with contents:

propval=foobar

1. create resource cryptest.xml within default profile

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0">
    <cm:property-placeholder persistent-id="org.crypt.test" />

  <bean id="test" class="java.lang.String">
        <argument value="${propval}"/>
    </bean>  
</blueprint>

1. add line in to io.fabric8.agent.properties to create a bundle

 bundle.cryptest=blueprint:profile:cryptest.xml

1. cryptest bundle startsup fine

 2014-07-10 20:56:28,458 | INFO  | agent-2-thread-1 | DeploymentAgent                  | io.fabric8.agent.DeploymentAgent  720 | 60 - io.fabric8.fabric-agent - 1.0.0.redhat-379 | Refreshing bundles:
2014-07-10 20:56:28,459 | INFO  | agent-2-thread-1 | DeploymentAgent                  | io.fabric8.agent.DeploymentAgent  722 | 60 - io.fabric8.fabric-agent - 1.0.0.redhat-379 |   cryptest.xml / 0.0.0
2014-07-10 20:56:28,459 | INFO  | agent-2-thread-1 | DeploymentAgent                  | io.fabric8.agent.DeploymentAgent  735 | 60 - io.fabric8.fabric-agent - 1.0.0.redhat-379 | Starting bundles:
2014-07-10 20:56:28,820 | INFO  | agent-2-thread-1 | DeploymentAgent                  | io.fabric8.agent.DeploymentAgent  741 | 60 - io.fabric8.fabric-agent - 1.0.0.redhat-379 |   cryptest.xml / 0.0.0
2014-07-10 20:56:28,918 | INFO  | agent-2-thread-1 | DeploymentAgent                  | io.fabric8.agent.DeploymentAgent  753 | 60 - io.fabric8.fabric-agent - 1.0.0.redhat-379 | Done.

1. Take encrypted value from step#1 and put encrypted value in org.crypt.test.properties with contents (same applies when using profile-edit --pid..):

propval=${crypt:xHBenqWFYDwvWiw2ys3o1Q==}

1. Exception message below. Based on the exception it seems that the decryption cannot read the variable properly, but unsure what I might be entering in wrong, ideas?:

2014-07-10 21:02:36,507 | WARN  | pool-21-thread-1 | AbstractDataStore                | abric8.service.AbstractDataStore  224 | 65 - io.fabric8.fabric-core - 1.0.0.redhat-379 | Caught: org.jasypt.exceptions.EncryptionOperationNotPossibleException
org.jasypt.exceptions.EncryptionOperationNotPossibleException
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)[56:org.apache.servicemix.bundles.jasypt:1.9.1.1]
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)[56:org.apache.servicemix.bundles.jasypt:1.9.1.1]
    at io.fabric8.service.EncryptedPropertyResolver.resolve(EncryptedPropertyResolver.java:65)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.service.FabricServiceImpl$2.getValue(FabricServiceImpl.java:1039)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.zookeeper.utils.InterpolationHelper.substVars(InterpolationHelper.java:178)[53:io.fabric8.fabric-zookeeper:1.0.0.redhat-379]
    at io.fabric8.service.FabricServiceImpl.substituteConfigurations(FabricServiceImpl.java:1035)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.internal.ProfileOverlayImpl.getConfigurations(ProfileOverlayImpl.java:358)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.internal.ProfileOverlayImpl.getContainerConfiguration(ProfileOverlayImpl.java:121)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.internal.ProfileImpl.getContainerConfigList(ProfileImpl.java:149)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.internal.ProfileOverlayImpl.getRepositories(ProfileOverlayImpl.java:106)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.features.FabricFeaturesServiceImpl.listInstalledRepositories(FabricFeaturesServiceImpl.java:327)[255:io.fabric8.fabric-features-service:1.0.0.redhat-379]
    at io.fabric8.features.FabricFeaturesServiceImpl.run(FabricFeaturesServiceImpl.java:93)[255:io.fabric8.fabric-features-service:1.0.0.redhat-379]
    at io.fabric8.service.AbstractDataStore.doRunCallbacks(AbstractDataStore.java:222)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.service.AbstractDataStore$1.run(AbstractDataStore.java:210)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)[:1.7.0_60]
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)[:1.7.0_60]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)[:1.7.0_60]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)[:1.7.0_60]
    at java.lang.Thread.run(Thread.java:745)[:1.7.0_60]
2014-07-10 21:02:36,510 | WARN  | admin-1-thread-1 | FabricConfigAdminBridge          | figadmin.FabricConfigAdminBridge  148 | 67 - io.fabric8.fabric-configadmin - 1.0.0.redhat-379 | Exception when tracking configurations. This exception will be ignored.
org.jasypt.exceptions.EncryptionOperationNotPossibleException
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)[56:org.apache.servicemix.bundles.jasypt:1.9.1.1]
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)[56:org.apache.servicemix.bundles.jasypt:1.9.1.1]
    at io.fabric8.service.EncryptedPropertyResolver.resolve(EncryptedPropertyResolver.java:65)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.service.FabricServiceImpl$2.getValue(FabricServiceImpl.java:1039)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.zookeeper.utils.InterpolationHelper.substVars(InterpolationHelper.java:178)[53:io.fabric8.fabric-zookeeper:1.0.0.redhat-379]
    at io.fabric8.service.FabricServiceImpl.substituteConfigurations(FabricServiceImpl.java:1035)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.internal.ProfileOverlayImpl.getConfigurations(ProfileOverlayImpl.java:358)[65:io.fabric8.fabric-core:1.0.0.redhat-379]
    at io.fabric8.configadmin.FabricConfigAdminBridge.updateInternal(FabricConfigAdminBridge.java:118)[67:io.fabric8.fabric-configadmin:1.0.0.redhat-379]
    at io.fabric8.configadmin.FabricConfigAdminBridge.access$000(FabricConfigAdminBridge.java:52)[67:io.fabric8.fabric-configadmin:1.0.0.redhat-379]
    at io.fabric8.configadmin.FabricConfigAdminBridge$1.run(FabricConfigAdminBridge.java:100)[67:io.fabric8.fabric-configadmin:1.0.0.redhat-379]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)[:1.7.0_60]
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)[:1.7.0_60]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)[:1.7.0_60]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)[:1.7.0_60]
    at java.lang.Thread.run(Thread.java:745)[:1.7.0_60]

[davsclaus]

If you have a subscription for fuse, then use that to log a ticket to get faster help with this.

[smkheir]

just for curiosity debugged the case and noticed "getPassword" method from "EncryptedPropertyResolver.java" class returning something like "ZKENC dshkw2893" instead of returning ensemble password. Thats why jasypt throwing exception.

looking further I noticed that zookeeper.password.encode system property default to "true" at the time of fabric creation. This means EncryptedPropertyResolver should decode the password before setting it on jasypt encryptor, which it does not. Thats why jasypt throws the exception simply because decryption password is not the one that property value encrypted with :)

to prove the theory, I simply added this line to setenv before creating the fabric export KARAF_OPTS="-Dzookeeper.password.encode=false"

after creating the fabric; I noticed that property decryption is working fine. simply because the correct ensemble password passes on jasypt encryptor. I believe turning off encoding is not a good idea and I hope somebody take a look at EncryptedPropertyResolver.java and somehow decode it before setting password on jasypt encryptor, or may be the solution resides in curator.

Committers know better :)

HTH, SM

[davsclaus]

Thanks for reporting and sharing your findings.

[davsclaus]

Got it fixed now, there is a PR on the way

[abedwardsw]

Thank you Claus, much appreciated.