Unable to substitute plain text password with environment variable in node.conf
See original GitHub issueCorda: Open Source 4.3 Operating System: Ubuntu 18.04.3 LTS
I’m trying to substitute my plain text password with an environment variable with the following steps:
- Create a secret on AWS Secrets Manager with one key/value:
keyStorePassword
- Create a file called
corda_node_config.sh
under/etc/profile.d
to permanently persist the environment variable. Inside that file I have:
export keyStorePassword=$(aws secretsmanager get-secret-value --region my-region
--secret-id my-secret | jq --raw-output '.SecretString' | jq -r '.keyStorePassword')
- I exit my VM and log back. I can see the value when I run
echo $keyStorePassword
- Inside my
node.conf
I replace the plain text with the environment value:keyStorePassword = ${keyStorePassword}
- Now when I start the node, I get:
[ERROR] 21:21:14+0000 [main] internal.NodeStartupLogging. - Exception during node startup:
Keystore was tampered with, or password was incorrect [errorCode=ikfywq, moreInformationAt
=https://errors.corda.net/OS/4.3/ikfywq]
- I am 100% sure the environment variable is correct; when I run this, I don’t get any errors:
keytool -list -keystore nodekeystore.jks -storepass $keyStorePassword
keytool -list -keystore sslkeystore.jks -storepass $keyStorePassword
- If I remove the environment variable and put back the plain text value, my node starts; so the keystore hasn’t been tampered with.
Full log:
[ERROR] 2020-02-17T21:21:14,300Z [main] internal.NodeStartupLogging. - Exception during node startup: Keystore was tampered with, or password was incorrect [errorCode=ikfywq, moreInformationAt=https://errors.corda.net/OS/4.3/ikfywq]
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:782) ~[?:1.8.0_241]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[?:1.8.0_241]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[?:1.8.0_241]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[?:1.8.0_241]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_241]
at net.corda.nodeapi.internal.crypto.KeyStoreUtilities.loadOrCreateKeyStore(KeyStoreUtilities.kt:27) ~[corda-node-api-4.3.jar:?]
at net.corda.nodeapi.internal.crypto.X509KeyStore$Companion.fromFile(X509KeyStore.kt:32) ~[corda-node-api-4.3.jar:?]
at net.corda.nodeapi.internal.config.CertificateStore$Companion.fromFile(CertificateStore.kt:20) ~[corda-node-api-4.3.jar:?]
at net.corda.nodeapi.internal.config.FileBasedCertificateStoreSupplier.get(CertificateStoreSupplier.kt:22) ~[corda-node-api-4.3.jar:?]
at net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService.<init>(BCCryptoService.kt:33) ~[corda-node-api-4.3.jar:?]
at net.corda.nodeapi.internal.cryptoservice.CryptoServiceFactory$Companion.makeCryptoService(CryptoServiceFactory.kt:18) ~[corda-node-api-4.3.jar:?]
at net.corda.node.internal.AbstractNode.<init>(AbstractNode.kt:183) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.AbstractNode.<init>(AbstractNode.kt:128) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.Node.<init>(Node.kt:102) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.Node.<init>(Node.kt:101) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartup.createNode(NodeStartup.kt:195) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartup$initialiseAndRun$5.invoke(NodeStartup.kt:187) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartup$initialiseAndRun$5.invoke(NodeStartup.kt:138) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartupLogging$DefaultImpls.attempt(NodeStartup.kt:529) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartup.attempt(NodeStartup.kt:138) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartup.initialiseAndRun(NodeStartup.kt:186) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartupCli.runProgram(NodeStartup.kt:129) ~[corda-node-4.3.jar:?]
at net.corda.cliutils.CordaCliWrapper.call(CordaCliWrapper.kt:190) ~[corda-tools-cliutils-4.3.jar:?]
at net.corda.node.internal.NodeStartupCli.call(NodeStartup.kt:84) ~[corda-node-4.3.jar:?]
at net.corda.node.internal.NodeStartupCli.call(NodeStartup.kt:65) ~[corda-node-4.3.jar:?]
at picocli.CommandLine.execute(CommandLine.java:1173) ~[picocli-3.9.6.jar:3.9.6]
at picocli.CommandLine.access$800(CommandLine.java:141) ~[picocli-3.9.6.jar:3.9.6]
at picocli.CommandLine$RunLast.handle(CommandLine.java:1367) ~[picocli-3.9.6.jar:3.9.6]
at picocli.CommandLine$RunLast.handle(CommandLine.java:1335) ~[picocli-3.9.6.jar:3.9.6]
at picocli.CommandLine$AbstractParseResultHandler.handleParseResult(CommandLine.java:1243) ~[picocli-3.9.6.jar:3.9.6]
at picocli.CommandLine.parseWithHandlers(CommandLine.java:1526) ~[picocli-3.9.6.jar:3.9.6]
at net.corda.cliutils.CordaCliWrapperKt.start(CordaCliWrapper.kt:73) ~[corda-tools-cliutils-4.3.jar:?]
at net.corda.node.Corda.main(Corda.kt:13) ~[corda-node-4.3.jar:?]
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[?:1.8.0_241]
... 32 more
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Using Environment Variables in Node.js for App Configuration ...
Node parses the environment variables, creating a process. env object where every key and value is a string.
Read more >Is it secure to store passwords as environment variables ...
Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved; i.e. if you set only a local environment variable, ......
Read more >How to Use Node Environment Variables with a DotEnv File ...
To use DotEnv, first install it using the command: npm i dotenv . Then in your app, require and configure the package like...
Read more >How To Set Environment Variables - Twilio
Set Environment Variables using PowerShell After $Env , add a colon, followed by the environment variable's name, followed by the equals sign, ...
Read more >Introduction to environment variables - CircleCI
Use environment variables to set up various configuration options, and keep your set-up secure with secrets, private keys, and contexts.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanx Matthew for your reply,
Honestly I moved on from this issue and used a different approach, you can read about my setup here: https://blog.b9lab.com/enabling-corda-security-with-nodes-configuration-file-412ce6a4371c
If the method that you mentioned works, can you please update the documentation here: https://docs.corda.net/node-administration.html#id2
We originally imported all environment variables into the node.conf, but that was problematic and risked exposing secrets in log files. As a result we require that environment variables are prefixed with corda_ or CORDA_ and we strip this off when substituting, so variables in the node.conf are listed without the prefix e.g. export CORDA_MY_PASSWORD=password and in node.conf keyStorePassword = ${MY_PASSWORD}
Can you try this and see if that works properly