Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share LTPA key between app instances using default and custom encryption keys #615

Open
leochr opened this issue Aug 29, 2024 · 2 comments
Open

Share LTPA key between app instances using default and custom encryption keys #615

leochr opened this issue Aug 29, 2024 · 2 comments
Assignees
@kabicin
Labels
zenhub-dev

Comments

@leochr
Copy link
Member

leochr commented Aug 29, 2024
edited
Loading

Share the LTPA key between OpenLibertyApplication CR instances using the default password encryption key and those using custom password encryption key (specified via wlp.password.encryption.key variable).

  • Once a ltpa.keys is generated, reuse it
  • Add server config with the ltpa element and keyPassword according to the usage of wlp.password.encryption.key
  • The randomly generated ltpa password must be stored in a Secret so that it can be encrypted later (when the custom password encryption key is specified for the first time or the password encryption key changes) using securityUtil encode
@leochr
Copy link
Member Author

leochr commented Aug 29, 2024

The question that arose was whether an ltpa.keys can be shared between Liberty servers where some use the default password encryption key while others use a custom password encryption key (wlp.password.encryption.key).

I tested the following and I believe it confirms that ltpa.keys can be shared as long as the original (plain text) LTPA password is encrypted accordingly (using the appropriate default/custom key) and set in server config (using the keysPassword field of ltpa element):

Step 1 : Generate LTPA key with default encryption key:

ltpa.keys was generated by the following command:

securityUtility createLTPAKeys --file=ltpa.keys --password=mypassword --passwordEncoding=aes

Step 2: Add LTPA server config:

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <ltpa keysFileName="${server.config.dir}/managedLTPA/ltpa.keys" keysPassword="{aes}AN4QZlt4JCdRVhzoOphGMnTETt9gYZSqax3RSnUVHH/FcydnjHmIwvXJyiYKMc900g==" />
</server>

Step 3: Server log showed that the LTPA was processed successfully:

[8/29/24, 17:05:39:066 UTC] 0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask    I CWWKS4105I: LTPA configuration is ready after 0.162 seconds.

Step 4: Added wlp.password.encryption.key with the same ltpa server config and restarted the pod :

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <variable name="wlp.password.encryption.key" value="randomkey" />
</server>

Step 5: As expected the server threw an error (due to the mismatched password)

[8/29/24, 17:06:54:614 UTC] 00000039 com.ibm.websphere.crypto.PasswordUtil                        E CWWKS1856E: The password was not processed because an unknown password algorithm exception was reported.
com.ibm.websphere.crypto.UnsupportedCryptoAlgorithmException
...
...
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
...
...
[8/29/24, 17:06:54:666 UTC] 00000039 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "java.lang.NullPointerException com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask 123" at ffdc_24.08.29_17.06.54.0.log
[8/29/24, 17:06:54:671 UTC] 00000039 com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask    E CWWKS4106E: LTPA configuration error. Unable to create or read LTPA key file: /opt/ol/wlp/usr/servers/defaultServer/managedLTPA/ltpa.keys

Step 6: Encode LTPA password with the custom password encryption key:

sh-4.4$ securityUtility encode --encoding=aes --key=randomkey mypassword
{aes}ANH8n3T0silDbCmfXvzrB2ZPOpR5PHfhlYPVyGtBFsjebKzM4r87BMHtb9owv8nyGw==

Step 7: Update server config to use the newly encrypted LTPA password.

The ltpa.keys is still the same one from step 1.

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <ltpa keysFileName="${server.config.dir}/managedLTPA/ltpa.keys" keysPassword="{aes}ANH8n3T0silDbCmfXvzrB2ZPOpR5PHfhlYPVyGtBFsjebKzM4r87BMHtb9owv8nyGw==" />
</server>

Step 8: Restart the pod. Error is no longer reported. LTPA was processed successfully.

[8/29/24, 17:09:05:962 UTC] 0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask    I CWWKS4105I: LTPA configuration is ready after 0.137 seconds.

@leochr
Copy link
Member Author

leochr commented Aug 29, 2024

@arkarkala This is the workitem related to our discussion on sharing ltpa.keys between different Liberty servers (where some use the default password encryption key while others use a custom password encryption key). I believe the above tests results validate your statement: "passwordKey is used to encrypt the ltpa.password. the plain text ltpa.password is used to encrypt the keys in the ltpa.keys file"

Please review and let us know if you see any problems with this proposed approach or for any reason the ltpa.keys can not (or must not) be shared in this manner.

@leochr leochr changed the title Share LTPA key between app instances using default and custom encryption key Share LTPA key between app instances using default and custom encryption keys Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kabicin kabicin

Labels
zenhub-dev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leochr @kabicin