0

I have a ConfigServer, very basic:

@EnableConfigServer
@SpringBootApplication
public class ConfigServerApplication {
    public static void main(String[] args) {
        SpringApplication.run(ConfigServerApplication.class, args);
    }
}

I'm using spring-cloud-config-server:

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-server</artifactId>
        </dependency>

And I expect it to work the same when deployed to Pivotal Web Services as when I run it locally.

I deployed my configs to a public server with encrypted keys:

spring:
  cloud:
    config:
      server:
        git:
          uri: https://mypublic.domain/gitbasedconfig

And in my bootstrap.yml, application.yml I have a property with the key:

encrypt:
  key: my.super.secret.symmetric.key

This all works locally:

curl http://localhost:8888/myservice/default

responds with all of my encrypted passwords decrypted properly.

When I deploy the same artifact to PWS with the following manifest.yml:

---
applications:
  - name: myservice
    memory: 384M
    disk: 384M
    buildpack: java_buildpack
    path: target/myservice.jar
env:
  ENCRYPT_KEY: my.super.secret.symmetric.key

If I deploy with or without the env->ENCRYPT_KEY neither work. When I call the service, all of my encrypted keys are returned as

invalid.my.key.name: "<n/a>",

In the PWS logs I can see this:

Fri May 20 2016 13:26:21 GMT-0500 (CDT) [APP] OUT {"timeMillis":1463768781279,"thread":"http-nio-8080-exec-4","level":"WARN","loggerName":"org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor","message":"Cannot decrypt key: my.key.name (class java.lang.IllegalArgumentException: Unable to initialize due to invalid secret key)","endOfBatch":false,"loggerFqcn":"org.apache.commons.logging.impl.SLF4JLocationAwareLog","contextMap":[],"source":{"class":"org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptor","method":"decrypt","file":"CipherEnvironmentEncryptor.java","line":81}}

When I look at the http://myservice.on.pws/env I can see that there are values for encrypt.key in both application.yml, bootstrap.yml and I can also see the environment value. These are all the same value.

Why are my encrypted values not being decrypted properly when I'm providing the symmetric key value in both the properties files and/or the environment? Is there some other property that I need to add to make this work on PWS? The non-encrypted values are working properly within the same configs, so everything is wired properly. It's just the encrypted values that are not working.

DaShaun
  • 3,722
  • 2
  • 27
  • 29

1 Answers1

0

I think that Spencergibb and Vinicius Carvalho were both correct.

The Java Cryptopgraphy Extensions can't be distributed with the standard java buildpack.

The Pivotal Support site provided a possible solution which is to fork the javabuildpack and update it to include the proper permissions for JCE. The deploy the application with the custom buildpack. One caveat is that you/I won't get the automatic updates.

https://support.run.pivotal.io/entries/76559625-How-do-I-use-the-JCE-Unlimited-Strength-policy-with-my-Java-app-

DaShaun
  • 3,722
  • 2
  • 27
  • 29
  • I just followed the instructions on the support site and confirmed that was the issue. I'm now running a custom java buildpack that includes the JCE. – DaShaun May 21 '16 at 04:51
  • The Java build pack now includes support for JCE Unlimited Strength Encryption: https://lists.cloudfoundry.org/archives/list/cf-dev@lists.cloudfoundry.org/thread/3U2TNEJNUBGRPIXOB3HGHX4YE3JISF3Z/ – Mike Heath May 23 '16 at 19:48