[jira] [Updated] (RANGER-2112) Ranger KMS broken with JDK 8 update 171

Tue, 30 Jul 2019 07:38:04 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-2112:
-----------------------------------------
    Fix Version/s: 2.0.0

> Ranger KMS broken with JDK 8 update 171
> ---------------------------------------
>
>                 Key: RANGER-2112
>                 URL: https://issues.apache.org/jira/browse/RANGER-2112
>             Project: Ranger
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 0.7.0
>            Reporter: Hernan Fernandez
>            Assignee: Pradeep Agrawal
>            Priority: Major
>             Fix For: 2.0.0
>
>
> After update to JDK 8 update 171 Ranger KMS UI
> 1) Ranger KMS UI > Encryption: will show the key list as the following.
> keyname (empty)
> Cipher (empty)
> Version 0
> Attributes (empty)
> Create (empty)
>  
> !image-2018-05-22-10-19-13-599.png!
>  
> 2) hadoop key -list -metadata
> Listing keys for KeyProvider: 
> org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@7d322cad
> testkey1 : null 
>  
>  *ROOT CAUSE*
>  This may be related to
> {code:java}
> New Features 
> security-libs/javax.crypto  
> Enhanced KeyStore Mechanisms
> A new security property named jceks.key.serialFilter has been introduced. If 
> this filter is configured, the JCEKS KeyStore uses it during the 
> deserialization of the encrypted Key object stored inside a SecretKeyEntry. 
> If it is not configured or if the filter result is UNDECIDED (for example, 
> none of the patterns match), then the filter configured by jdk.serialFilter 
> is consulted. If the system property jceks.key.serialFilter is also supplied, 
> it supersedes the security property value defined here. The filter pattern 
> uses the same format as jdk.serialFilter. The default pattern allows 
> java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type, and 
> javax.crypto.spec.SecretKeySpec but rejects all the others. Customers storing 
> a SecretKey that does not serialize to the above types must modify the filter 
> to make the key extractable.
> {code}
> http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
>  b) second option this is related to 3DES disabled on java.security (to be 
> tested)
>  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to