Starting Egeria fails with SSL enabled

[dwolfson]

Been trying to configure Egeria as described in the documentation to with a key store certificate (but no trust store certificate). ( I believe that the certificate contains some of the trust information in it as well). I have tried a few ways to pass in this information - both on the java command line:

java -Dstrict.ssl=true -Dloader.path=./server/lib -Dserver.port=9443 -Dserver.ssl.key-store=./xxxy.p12 -Dserver.ssl.key-store-password=xxx -jar ./server/server-chassis-spring-4.1-SNAPSHOT.jar

And in application.properties.

If I set strict.ssl=false, Egeria comes up normally and all is well (except the certificate isn't used). If I set strict.ssl=true then Egeria fails (I think starting web server). The error message is:

Project Egeria - Open Metadata and Governance
____ __ ___ ___ ______ _____ ____ _ _ ___
/ __ \ / |/ // | / / / / ___ ____ _ __ ___ ____ / _ \ / / __ / / / _ / ____ _ _
/ / / // /|/ // /| | / / __ _ \ / _ \ / __/| | / // _ \ / __/ / // // // | / \ / / / | / // || |
/ // // / / // ___ |/ // / / // _// / | |/ // // / / __ // // / \ / / / // / // / / / / /
_/// //// ||_/ // ___/// |/ _/// // // _////// _/// // /_/

:: Powered by Spring Boot (v3.0.6) ::

[root@ecs-egeria-project assembly]# ls
conformance-suite content-packs data DMP_metadataServer.log DMP_oldlog LICENSE NOTICE sample-data samples server star_stgaddata_gov_ae.p12 user-interface utilities
[root@ecs-egeria-project assembly]# ls data/server/DMP_metadataServer/
[root@ecs-egeria-project assembly]# more DMP_metadataServer.log
1067 [main] INFO o.o.o.s.s.OMAGServerPlatform - Starting OMAGServerPlatform using Java 17.0.7 with PID 32722 (/root/dan/egeria/open-metadata-resources/open-metadata-deployment/docker/egeria/bu
ild/assembly/server/server-chassis-spring-4.1-SNAPSHOT.jar started by root in /root/dan/egeria/open-metadata-resources/open-metadata-deployment/docker/egeria/build/assembly)
1069 [main] INFO o.o.o.s.s.OMAGServerPlatform - No active profile set, falling back to 1 default profile: "default"
4420 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 9443 (https)
5788 [main] ERROR o.s.boot.SpringApplication - Application run failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getInitialize' defined in org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform: null
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:598)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:326)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:324)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:917)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:584)
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:310)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1304)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1293)
at org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform.main(OMAGServerPlatform.java:96)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: java.lang.NullPointerException: null
at java.base/java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)
at java.base/java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006)
at java.base/java.util.Properties.put(Properties.java:1301)
at java.base/java.util.Properties.setProperty(Properties.java:229)
at java.base/java.lang.System.setProperty(System.java:999)
at org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform.lambda$getInitialize$0(OMAGServerPlatform.java:110)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1816)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1766)
... 24 common frames omitted

Has anyone seen this behavior and worked through a similar issue? I'm sure I must be missing something silly?

[planetf1]

The server.ssl parameters above are spring https settings.

So in our case, this is the egeria server chassis application, in it's context as a network server, ie accepting inbound ssl connections. These will be the typical REST API calls we make against the egeria platform and egeria server.

A keystore is a store of private keys/identity certificates that are SENT. So in the case above, it will include the certificate that the egeria network server (ie platform process == tomcat) SENDS to it's clients.

A truststore is where certificates of servers we trust, or more likely certificates of certificate authorities we trust, are stored. Technically the same kind of store, it's just the usage varies. If not specified a java application will use the default, which is usually $JAVA_HOME/lib/security/cacerts. I think spring follows this too

[planetf1]

strict.ssl is specific to egeria and used by the 'org.odpi.egeria:http-helper' module which is included in our chassis & clients.

In the chassis it is accessed via a spring property (which in itself can be sourced from many places including java properties or environment), and it is also used in our client applications, where it must be set as a java property (as there is no spring server)

If set to false, we override the default certificate checker (TrustManager) (which checks certificates are valid) with a no-op one which just validates anything as ok....

At least that's all how it should work!

[planetf1]

In your example - and skipping strict.ssl for now -- you are setting up the egeria chassis to use ./xxxy.p12 as the location where it finds a certificate to send when a client connects. There's more. The default application.properties for the server chassis sets server.ssl.keyAlias=egeriaserverchassis. So this is the alias of the key it looks for in ./xxxy.p12. Do you have one? If not --override - which you have done with password.

This also applies to other parameters set in the application.properties -- for example we DO configure the truststore -- so even if you don't set one, it won't be using the java default, it will be using OUR default.

Specifically on your invocation that fails -- that stacktrace does like like a problem setting properties -- odd, and it's occuring in the spring launcher -- so this is likely nothing to do with how we use that parameter. Is this a regular build of egeria, or modified? I'm wondering if there are any version inconsistencies.

I had expected you might get an exception on finding a cert to use, given the default alias -- or you might see some SSL errors, if for example using mutual TLS, but not a property issue.

Will try...

[planetf1]

I was able to specify those parameters ok, and noted in the log output

2023-05-24T09:01:15.500+01:00  WARN 76865 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : strict.ssl is set to false! Invalid certificates will be accepted for connection!

as expected.

ie

➜  egeria-4.1-SNAPSHOT-distribution.tar.gz git:(issue7576) java -Dstrict.ssl=false -Dloader.path=./server/lib -Dserver.port=9443 -Dserver.ssl.key-store=./xxxy.p12 -Dserver.ssl.key-store-password=egeria -jar ./server/server-chassis-spring-4.1-SNAPSHOT.jar
 Project Egeria - Open Metadata and Governance
    ____   __  ___ ___    ______   _____                                 ____   _         _     ___
   / __ \ /  |/  //   |  / ____/  / ___/ ___   ____ _   __ ___   ____   / _  \ / / __    / /  / _ /__   ____ _  _
  / / / // /|_/ // /| | / / __    \__ \ / _ \ / __/| | / // _ \ / __/  / /_/ // //   |  / _\ / /_ /  | /  _// || |
 / /_/ // /  / // ___ |/ /_/ /   ___/ //  __// /   | |/ //  __// /    /  __ // // /  \ / /_ /  _// / // /  / / / /
 \____//_/  /_//_/  |_|\____/   /____/ \___//_/    |___/ \___//_/    /_/    /_/ \__/\//___//_/   \__//_/  /_/ /_/

 :: Powered by Spring Boot (v3.0.6) ::

2023-05-24T09:02:25.115+01:00  INFO 78343 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : Starting OMAGServerPlatform using Java 17.0.7 with PID 78343 (/Users/jonesn/IdeaProjects/egeria/open-metadata-distribution/open-metadata-assemblies/build/unpacked/egeria-4.1-SNAPSHOT-distribution.tar.gz/server/server-chassis-spring-4.1-SNAPSHOT.jar started by jonesn in /Users/jonesn/IdeaProjects/egeria/open-metadata-distribution/open-metadata-assemblies/build/unpacked/egeria-4.1-SNAPSHOT-distribution.tar.gz)
2023-05-24T09:02:25.117+01:00  INFO 78343 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : No active profile set, falling back to 1 default profile: "default"
2023-05-24T09:02:27.230+01:00  INFO 78343 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 9443 (https)
2023-05-24T09:02:28.020+01:00  WARN 78343 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : strict.ssl is set to false! Invalid certificates will be accepted for connection!
2023-05-24T09:02:29.334+01:00  INFO 78343 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 9443 (https) with context path ''
2023-05-24T09:02:29.346+01:00  INFO 78343 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : Started OMAGServerPlatform in 4.641 seconds (process running for 5.061)
Wed May 24 09:02:29 BST 2023 No OMAG servers listed in startup configuration
Wed May 24 09:02:29 BST 2023 OMAG server platform ready for more configuration

[planetf1]

My conclusion is a build issue as

at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:467)
Caused by: java.lang.NullPointerException: null
at java.base/java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011)

in your log is odd.

I also tried various invalid (for a boolean) values, but in each case the stack trace contained a specific mention around type conversion etc

If you have customized the build, can you repeat completely clean?

Or maybe I've missed something else...

[dwolfson]

@planetf1 Thanks Nigel, the only thing I customized in the build is to chance some of the SSL parameters in application.properties

[planetf1]

Do you get the same results with a completely untouched build, ONLY specifying parameters on invocation?

[planetf1]

We went back to CLI and were able to launch the app.

However in some local experimentation (cloud native) I tried commenting out the trust store definition, hoping this would then default to using system certs.

So in application properties:

#server.ssl.trust-store=truststore.p12
#server.ssl.trust-store-password=egeria

When I did this I hit the same exception, including:

➜  libs git:(main) ✗ java -jar ./healthcheck.jar
 Project Egeria - Open Metadata and Governance
    ____   __  ___ ___    ______   _____                                 ____   _         _     ___
   / __ \ /  |/  //   |  / ____/  / ___/ ___   ____ _   __ ___   ____   / _  \ / / __    / /  / _ /__   ____ _  _
  / / / // /|_/ // /| | / / __    \__ \ / _ \ / __/| | / // _ \ / __/  / /_/ // //   |  / _\ / /_ /  | /  _// || |
 / /_/ // /  / // ___ |/ /_/ /   ___/ //  __// /   | |/ //  __// /    /  __ // // /  \ / /_ /  _// / // /  / / / /
 \____//_/  /_//_/  |_|\____/   /____/ \___//_/    |___/ \___//_/    /_/    /_/ \__/\//___//_/   \__//_/  /_/ /_/

 - - - > > > MODIFIED to include additional healthcheck support < < < - - -

 :: Powered by Spring Boot (v3.0.6) ::


2023-05-24T13:16:40.930+01:00  INFO 22639 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : Starting OMAGServerPlatform using Java 17.0.7 with PID 22639 (/Users/jonesn/IdeaProjects/egeria-cloudnative/healthcheck/build/libs/healthcheck.jar started by jonesn in /Users/jonesn/IdeaProjects/egeria-cloudnative/healthcheck/build/libs)
2023-05-24T13:16:40.932+01:00  INFO 22639 --- [           main] o.o.o.s.springboot.OMAGServerPlatform    : No active profile set, falling back to 1 default profile: "default"
2023-05-24T13:16:42.615+01:00  INFO 22639 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 9443 (https)
2023-05-24T13:16:43.327+01:00 ERROR 22639 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'getInitialize' defined in org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform: null
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:598) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:326) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:324) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:973) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:917) ~[spring-context-6.0.8.jar!/:6.0.8]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:584) ~[spring-context-6.0.8.jar!/:6.0.8]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:310) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1304) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1293) ~[spring-boot-3.0.6.jar!/:3.0.6]
        at org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform.main(OMAGServerPlatform.java:96) ~[server-chassis-spring-4.1-SNAPSHOT-plain.jar!/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[healthcheck.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:95) ~[healthcheck.jar:na]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[healthcheck.jar:na]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[healthcheck.jar:na]
Caused by: java.lang.NullPointerException: null
        at java.base/java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011) ~[na:na]
        at java.base/java.util.concurrent.ConcurrentHashMap.put(ConcurrentHashMap.java:1006) ~[na:na]
        at java.base/java.util.Properties.put(Properties.java:1301) ~[na:na]
        at java.base/java.util.Properties.setProperty(Properties.java:229) ~[na:na]
        at java.base/java.lang.System.setProperty(System.java:999) ~[na:na]
        at org.odpi.openmetadata.serverchassis.springboot.OMAGServerPlatform.lambda$getInitialize$0(OMAGServerPlatform.java:110) ~[server-chassis-spring-4.1-SNAPSHOT-plain.jar!/:na]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1816) ~[spring-beans-6.0.8.jar!/:6.0.8]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1766) ~[spring-beans-6.0.8.jar!/:6.0.8]
        ... 24 common frames omitted

➜  libs git:(main) ✗ 

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.