On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz < ch...@christopherschultz.net wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Tim, > > On 11/20/18 11:42, Tim K wrote: > >> > >> Ignore the secure port. The code behind that setting was never > >> implemented. We really should remove it. > >> > >> You want: > >> > >> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht > ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr> > ibutes > >> > >> > >> > Mark > > > > > > I'm having some trouble getting it working. Can you provide an > > example of the new EncryptInterceptor with an algorithm and key? > > Each node in the cluster needs an interceptor configured, like this: > > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.EncryptIntercep > tor" > encryptionKey="[the key]" /> > > All nodes need the same key. The default algorithm > (AES/CBC/PKCS12Padding) is sufficient. > > To generate a key, just get some random garbage and convert it into > hex, like this: > > $ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5 > > That'll give you a 128-bit key you can use for encryption. You can > also use a 256-bit key if you'd like, or a 192-bit key. For keys > larger than 128 bite (32 bytes), you'll need to use a different > signature algorithm such as sha1 or later. > > I just chose MD5 because it generates the right number of output > characters for a 128-bit key. You can get your random key from > anywhere, including pounding on the keyboard. Remember that the key > must be in hex-encoded binary (so only characters 0-9 and a-f). > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv0Qg0ACgkQHPApP6U8 > pFhEMg//fqPv9UfiJ0H1XYSEhca0+XANYY11wdJCrUzjFZrBKweZtsPwBm6VErw1 > 65xx/SiBBtcbp317VoBNjrrMtgCWVxNuz9FG6YKqXuWu2PeFSlB9C8vHfsMEce2B > 1Jk8TixIdw7zWx4IHVgQsPIKvszQ9YsjMeMa2wTK8Us1AB3HEkwHYiV84UckdQmH > 3oac1rGS+4YxAvpYSe7WF4rRAusKkKLC/1hgbiF+pEPPoax2g8sDW/Upk2ijEWIe > 5B5qrpH9fJIeuQjsR0xlZWEuyQ3KQpdu9j6DyhJnjAqBFLyyg6TiD3uD3M3ZO3es > xgwlLd8C0BDS8ZzpvPOyN3IyygEwVas1+v8YHhqJF8VedGfZVkBplGKuNm7Yoqrg > 1OxGGKCN06cVG+TbH3JzLfuhoYMNN92soqZH+Nm9BUf9G3A5Ll2oTDDYO1peyhHw > kw3FigfUueNPM/sjb42wJp2QvSm9jpRDr8S/Vrv8SxpKmmwgGM/VDNlDcbccRQ5s > FtY3inV9KNH7n2+V69yY8at50HKn4pTLvBRFncZ5pLoOE5DfhVt9PZeefMKzAQQd > LGUJa7Fl+5wovL++Sclaf/MYBJ9BNSg1gpw+P33ga/c63G0JR9lzM9e8xYELJ6Mu > 44GJAgwGzAOq2/TSimmVEffERRxXRTErRORMgG5Qo8KFDsfoDvo= > =J0P5 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org I tried this between 2 nodes but it fails with this error on each: dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum e0f2cdf931e99fdce0453964294f97f3 - <Interceptor className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor" encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> 20-Nov-2018 13:31:20.070 SEVERE [Tribes-Task-Receiver[Catalina-Channel]-1] org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messageReceived Failed to decrypt message javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:991) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847) at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446) at javax.crypto.Cipher.doFinal(Cipher.java:2164) at org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.decrypt(EncryptInterceptor.java:369) at org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messageReceived(EncryptInterceptor.java:114) at org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:91) at org.apache.catalina.tribes.group.interceptors.StaticMembershipInterceptor.messageReceived(StaticMembershipInterceptor.java:96) at org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:91) at org.apache.catalina.tribes.group.ChannelCoordinator.messageReceived(ChannelCoordinator.java:274) at org.apache.catalina.tribes.transport.ReceiverBase.messageDataReceived(ReceiverBase.java:261) at org.apache.catalina.tribes.transport.nio.NioReplicationTask.drainChannel(NioReplicationTask.java:213) at org.apache.catalina.tribes.transport.nio.NioReplicationTask.run(NioReplicationTask.java:101) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
