-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tim,
On 11/20/18 13:36, Tim K wrote: > On Tue, Nov 20, 2018, 12:19 PM Christopher Schultz < > ch...@christopherschultz.net wrote: > > Tim, > > On 11/20/18 11:42, Tim K wrote: >>>>> >>>>> Ignore the secure port. The code behind that setting was >>>>> never implemented. We really should remove it. >>>>> >>>>> You want: >>>>> >>>>> http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor .ht > >>>>> ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr > <http://tomcat.apache.org/tomcat-9.0-doc/config/cluster-interceptor.ht ml#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attr > > > ibutes >>>>> >>>>> >>>>> > Mark >>>> >>>> >>>> I'm having some trouble getting it working. Can you provide >>>> an example of the new EncryptInterceptor with an algorithm >>>> and key? > > Each node in the cluster needs an interceptor configured, like > this: > > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc ep > > tor" > encryptionKey="[the key]" /> > > All nodes need the same key. The default algorithm > (AES/CBC/PKCS12Padding) is sufficient. > > To generate a key, just get some random garbage and convert it > into hex, like this: > > $ dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5 > > That'll give you a 128-bit key you can use for encryption. You can > also use a 256-bit key if you'd like, or a 192-bit key. For keys > larger than 128 bite (32 bytes), you'll need to use a different > signature algorithm such as sha1 or later. > > I just chose MD5 because it generates the right number of output > characters for a 128-bit key. You can get your random key from > anywhere, including pounding on the keyboard. Remember that the > key must be in hex-encoded binary (so only characters 0-9 and > a-f). > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > I tried this between 2 nodes but it fails with this error on each: > > dd if=/dev/urandom bs=128 count=1 2>/dev/null | md5sum > e0f2cdf931e99fdce0453964294f97f3 - > > <Interceptor > className="org.apache.catalina.tribes.group.interceptors.EncryptInterc eptor" > > encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> > > 20-Nov-2018 13:31:20.070 SEVERE > [Tribes-Task-Receiver[Catalina-Channel]-1] > org.apache.catalina.tribes.group.interceptors.EncryptInterceptor.messa geReceived > > Failed to decrypt message > > javax.crypto.BadPaddingException: Given final block not properly > padded. Such issues can arise if a bad key is used during > decryption. Both nodes have the same encryption key, right? The key itself looks fine. For example, I dropped that key into the unit test file and it worked as expected. I've been working on a patch yesterday and today that uses random IVs instead of re-using them. It really shouldn't change anything about the config, etc. but both nodes will require the new code to re-test. I've also expanded the unit tests to cover cipher block modes other than CBC. I don't actually have a cluster here for testing, though, so everything is being done with the unit tests. I thought I had reproduced your issue (BadPaddingException) except it turned out that the test itself was wrong and the interceptor code was correct. Are you able to build from source? I'm about to commit these changes to the trunk (9.0.x), which really shouldn't change anything for you, but it might fix some edge case that you are hitting. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv1cC0ACgkQHPApP6U8 pFhjuQ/+Mb46dCFqAd1QZqKtvc6BLO/K8/JCQiD8Z10YR0231AMwdCMLGkb7X7Xx A11KwaOSkISQucp7cLujC3KwlvrVpPBVeQODw7TydGVGtMBXGp+cp2pqhUDRJuZt 9MZM0aQsQSA2udbako77qNo/ISjgytp5ruW4RaHwwj8XauMuAZuQ1KjqXCgXOlfs DFBkVx4Qcs/YTn0DIuc9YGqROpb+h3VafNZiXXDIhv15ecSnMxqYAH928UA5MTi9 byA3Lq9GlHoKlhaL5IYHGE+UoMds7QKCdSiQti8u/QEhMhXtvH1LPcZy/l3V5Xj+ vklEkXgHef+kPVdwzwGQjQIvnbVl5qppx8wXJvDbY1hNsvgGbtXIj/Z1Xfwzx+BS 6fkGY2vEh5//nZB6REmbT79WByIlQSiOsLixha5LgkC8/li5X2ulXu2791UpmdSr mHVh06MBjMgaWP0fqELvgC88Q1x0z5O4SmYNka++wDpZYv3ZGE8zgWnaBPkQYLMI k4xF1udoKM662Zgh/fguKzht2OVRQK1qglm8R3HCtMNWR+EHFefrWlxQebAuKdFL dSftpA/tD4eaZ+MAN7B7bvj0dArywrQ1sA8EALzdfKfFAxDpLhPPCARLMtxO/Hue wlVBRUJ/4OdxjcQVZBmytGpQ2mSc3wLsxXslrTYokGq9D9E76fQ= =w3kX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org