Help: keystore password can't be set

[shemgp]

Followed instructions in the README.md, including adding, -e JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=changeme and I still says:

Exception in thread "main" java.io.IOException: keystore password was incorrect

Here's what I do:

/opt/shibboleth# openssl pkcs12 -in shibboleth-idp/credentials/idp-browser.p12 -nodes -out temp.pem
Enter Import Password: changeme
/opt/shibboleth# ls
Dockerfile  ext-conf  logs  shibboleth-idp  temp.pem
/opt/shibboleth# docker build --tag="aiias/shibboleth-idp:3.4.3" .
Sending build context to Docker daemon  240.6kB
Step 1/3 : FROM unicon/shibboleth-idp
 ---> 83a5c2df0c20
Step 2/3 : MAINTAINER shemgp@aiias.edu
 ---> Using cache
 ---> 39e2dda21601
Step 3/3 : ADD shibboleth-idp/ /opt/shibboleth-idp/
 ---> Using cache
 ---> 63d1536f4574
Successfully built 63d1536f4574
Successfully tagged aiias/shibboleth-idp:3.4.3
/opt/shibboleth# docker run -d --name="shib-local-test" -p 8443:8443 -v ext-conf:/opt/shibboleth-idp/ext-conf -v logs:/opt/shibboleth-idp/logs -e JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=changeme aiias/shibboleth-idp:3.4.3

[tmotley-slack]

I ran into this same problem following somewhat similar steps, and whilst I don't have a complete answer yet, let me explain what I think is happening. First of all, this Exception is thrown because Jetty is trying to access your keystore at this location: /shibboleth-idp/credentials/idp-browser.p12 . However, this file is not actually a Java keystore, it's just a .p12 file! So there seems to be a missing step in the instructions in how to ensure this p12 file is loaded in to Jetty's keystore, and then having Jetty's SSL config pointed at that keystore.

If we look at the SSL config for the Keystore variable on the running container, we see the base Jetty setting, and the actual setting which this image uses:

Base Setting before Customization
/opt/jetty-distribution-9.3.27.v20190418/demo-base/start.d/ssl.ini:# jetty.sslContext.keyStorePath=etc/keystore

Post Customization Setting
/opt/shib-jetty-base/start.d/ssl.ini:jetty.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-browser.p12

As I found out more and come up with a fix, I will update this thread.

[tmotley-slack]

Actually, my notes above are incorrect - Jetty can handle p12 files as Trust-stores, and the image config is correctly setup to do that, so please ignore above!

On further testing in the container, I see that the correct password is being sent to the keystore at runtime via JETTY_ARGS, and that also this same password can be used on the command line to access the same p12 file. There seems to be some problem with the SSLContext class code using the password; perhaps it is getting mangled or lost somehow...will continue to investigate...

[c-grosz]

I'm exploring SAML and wanted to use this Docker image to get started. I ran into the same problem. I tried creating the keystore with different tools (Java keygen, OpenSSL (win/linux). If this image won't start successfully, it is in fact useless? Are there any ongoing investigations or plans to fix the issue?

[nielsen-at-cgt]

When running the container, use
-e JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=my_actual_password
and
-e JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=my_actual_password

Be careful to use the exact same password you used when you created the idp-browser.p12 file

[bhurlow]

make sure you've done this step, and the passwords match:

To create a sample keystore, use:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl x509 -text -noout -in certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out idp-browser.p12

Move the idp-browser.p12 file into the credentials directory.