I am trying to store encrypted passwords in yml files for ssl keystore & truststore using jasypt. Noticed a very strange behavior with Spring cloud stream. Encrypted passwords work fine for Kafka streams binding but failing for Apache Kafka binding. I checked with plain passwords and it is getting connected. Below is my config:
########## Kafka Streams binder configs ##########
spring.cloud.stream.kafka.streams:
binder:
brokers: <brokers>
configuration:
security.protocol: SSL
ssl.endpoint.identification.algorithm:
ssl.truststore.location: pathToFile/<filename>.jks
ssl.truststore.password: ENC(lzqSndFB9fy2R+blpqOW2X8BNgZJZX/8) // working
ssl.truststore.type: jks
ssl.keystore.location: pathToFile/<filename>.p12
ssl.keystore.password: ENC(Sf2xm5Tks2Dok2oPg4mHYqvkkryglhCj) // working
ssl.keystore.type: pkcs12
########## Apache Kafka binder configs ##########
spring.cloud.stream.kafka:
binder:
brokers: <brokers>
configuration:
security.protocol: SSL
ssl.endpoint.identification.algorithm:
ssl.truststore.location: pathToFile/<filename>.jks
ssl.truststore.password: ENC(lzqSndFB9fy2R+blpqOW2X8BNgZJZX/8) // failing, working with plain password
ssl.truststore.type: jks
ssl.keystore.location: pathToFile/<filename>.p12
ssl.keystore.password: ENC(Sf2xm5Tks2Dok2oPg4mHYqvkkryglhCj) // failing, working with plain password
ssl.keystore.type: pkcs12
below is the error:
ERROR 16780 --- [ main] o.s.cloud.stream.binding.BindingService : Failed to create producer binding; retrying in 30 seconds
org.springframework.cloud.stream.binder.BinderException: Exception thrown while building outbound endpoint
Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.KafkaException: Failed to load SSL keystore <keystorefile>.p12 of type pkcs12
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:160) ~[kafka-clients-2.3.1.jar:na]
at org.apache.kafka.common.security.ssl.SslEngineBuilder.<init>(SslEngineBuilder.java:102) ~[kafka-clients-2.3.1.jar:na]
at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:93) ~[kafka-clients-2.3.1.jar:na]
at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:71) ~[kafka-clients-2.3.1.jar:na]
... 33 common frames omitted
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL keystore <keystorefile>.p12 of type pkcs12
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:289) ~[kafka-clients-2.3.1.jar:na]
at org.apache.kafka.common.security.ssl.SslEngineBuilder.createSSLContext(SslEngineBuilder.java:142) ~[kafka-clients-2.3.1.jar:na]
... 36 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2068) ~[na:1.8.0_271]
at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_271]
at org.apache.kafka.common.security.ssl.SslEngineBuilder$SecurityStore.load(SslEngineBuilder.java:286) ~[kafka-clients-2.3.1.jar:na]
... 37 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 40 common frames omitted
Spring boot version 2.2.5.RELEASE, excerpt from pom.xml
<spring-cloud.version>Hoxton.SR5</spring-cloud.version>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-stream-binder-kafka-streams</artifactId>
</dependency>
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.3</version>
</dependency>
Could someone help please?
question from:
https://stackoverflow.com/questions/65829183/jasypt-is-not-working-with-spring-cloud-stream 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
