1

我们的服务在 Kubernetes 集群中运行。我正在尝试使我们的服务受到 SSL 的保护。

为此,我添加到 application.properties:

security.require-ssl=true 
server.ssl.key-store-type=JKS
server.ssl.key-store=serviceCertificates.jks
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.key-alias=certificate

我想从集群中定义的 kubernetes 机密中获取的密钥库密码。
当服务开始运行时,我收到一个错误Password verification failed

“org.apache.catalina.LifecycleException: 无法启动组件 [Connector[HTTP/1.1-8080]]\n\tat org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)\n\tat org .apache.catalina.core.StandardService.addConnector(StandardService.java:225)\n\tat org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviousRemovedConnectors(TomcatWebServer.java:256)\n\tat org.springframework .boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:198)\n\tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:300)\n\tat org .springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:162)\n\tat org.springframework.context.support.AbstractApplicationContext。刷新(AbstractApplicationContext.java:553)\n\tat org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140)\n\tat org.springframework.boot.SpringApplication.refresh(SpringApplication. java:759)\n\tat org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:395)\n\tat org.springframework.boot.SpringApplication.run(SpringApplication.java:327)\n\tat org. springframework.boot.SpringApplication.run(SpringApplication.java:1255)\n\tat org.springframework.boot.SpringApplication.run(SpringApplication.java:1243)\n\tat com.ibm.securityservices.cryptoutils.Application.main( Application.java:9)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect。DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java: 48)\n\tat org.springframework.boot.loader.Launcher.launch(Launcher.java:87)\n\tat org.springframework.boot.loader.Launcher.launch(Launcher.java:50)\n\tat org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51)\n原因:org.apache.catalina.LifecycleException: 协议处理程序启动失败\n\tat org.apache.catalina.connector.Connector.startInternal( Connector.java:1020)\n\tat org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)\n\t... 省略了 21 个常用框架\n原因:java.lang.IllegalArgumentException: Keystore被篡改,或密码不正确\n\tat org.apache.tomcat.util.net.AbstractJsseEndpoint。createSSLContext(AbstractJsseEndpoint.java:116)\n\tat org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)\n\tat org.apache.tomcat.util.net.NioEndpoint.bind( NioEndpoint.java:225)\n\tat org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1150)\n\tat org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:591) \n\tat org.apache.catalina.connector.Connector.startInternal(Connector.java:1018)\n\t... 省略了 22 个常用帧\n原因:java.io.IOException: Keystore was tampered with, or password不正确\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)\n\tat sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)\n\tat sun。 security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)\n\tat sun.security.provider。JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)\n\tat java.security.KeyStore.load(KeyStore.java:1445)\n\tat org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase. java:139)\n\tat org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)\n\tat org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil. java:184)\n\tat org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)\n\t... 省略了 27 个常用帧\n原因:java.security.UnrecoverableKeyException: Password验证失败\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)\n\t...省略了35个常用帧\n"}getStore(SSLUtilBase.java:139)\n\tat org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)\n\tat org.apache.tomcat.util.net.jsse.JSSEUtil。 getKeyManagers(JSSEUtil.java:184)\n\tat org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)\n\t... 省略了 27 个常用帧\n原因:java.security .UnrecoverableKeyException: 密码验证失败\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)\n\t...省略了35个常用帧\n"}getStore(SSLUtilBase.java:139)\n\tat org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)\n\tat org.apache.tomcat.util.net.jsse.JSSEUtil。 getKeyManagers(JSSEUtil.java:184)\n\tat org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)\n\t... 省略了 27 个常用帧\n原因:java.security .UnrecoverableKeyException: 密码验证失败\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)\n\t...省略了35个常用帧\n"}createSSLContext(AbstractJsseEndpoint.java:114)\n\t... 省略了 27 个常用帧\n原因:java.security.UnrecoverableKeyException: 密码验证失败\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java: 778)\n\t...省略了 35 个常用帧\n"}createSSLContext(AbstractJsseEndpoint.java:114)\n\t... 省略了 27 个常用帧\n原因:java.security.UnrecoverableKeyException: 密码验证失败\n\tat sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java: 778)\n\t...省略了 35 个常用帧\n"}

我的调查:
1.如果我在代码中打印 

    System.out.println("KEYSTORE_PASSWORD: "+ System.getenv("KEYSTORE_PASSWORD"));

我看到了它的正确价值。
2. 如果我在应用程序属性中设置硬编码常量密码值,它可以工作,服务启动并运行。

所以我想问题是为应用程序属性设置秘密值。
您的帮助和建议将不胜感激

4

1 回答 1

2

我认为您的秘密描述符中有错字或隐藏字符。您可以执行到 pod 中,验证系统属性,还可以尝试使用命令行工具解密密码。

于 2018-06-17T14:28:20.933 回答