Pivotal Knowledge Base

Follow

UAA server fails to start with java.lang.ClassCastException when parsing serviceProviderKey

Environment

Product Version
Pivotal Elastic Runtime (No Ops manager) 1.7.x
Bosh Only Deployment N/A

Symptom

UAA server fails to start with the following exception:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'identityZoneConfigurationBootstrap' defined in ServletContext resource [/WEB-INF/spring-servlet.xml]: Invocation of init method failed; nested exception is java.lang.ClassCastException: org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey cannot be cast to java.security.KeyPair

Followed By

Caused by: java.lang.ClassCastException: org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey cannot be cast to java.security.KeyPair
        at org.cloudfoundry.identity.uaa.util.KeyWithCert.(KeyWithCert.java:23)
        at org.cloudfoundry.identity.uaa.zone.GeneralIdentityZoneConfigurationValidator.validate(GeneralIdentityZoneConfigurationValidator.java:32)
        at org.cloudfoundry.identity.uaa.zone.GeneralIdentityZoneValidator.validate(GeneralIdentityZoneValidator.java:37)
        at org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap.afterPropertiesSet(IdentityZoneConfigurationBootstrap.java:97)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1637)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1574)
        ... 167 more

Cause 

During startup UAA will load "/var/vcap/job/uaa/config/login.yaml" to populate "/WEB-INF/spring-servlet.xml" with the "serviceProviderKey" information. Cast exception is thrown here during the IdentityZoneValidation step, because the Private key is in PKCS8INF format which can not be cast to type java.security.KeyPair

Example of PKCS8INF format :

-----BEGIN PRIVATE KEY-----
.
.
-----END PRIVATE KEY-----

Resolution

The following table describes the supported private key types for the login.saml.serviceProviderKey value in the cf manifest file: 

Type Example
RSA -----BEGIN RSA PRIVATE KEY-----
DSA -----BEGIN DSA PRIVATE KEY-----

 

Here is an example of how you can convert the existing PKCS8 private key into a supported PKCS1 RSA format

$ openssl rsa -inform PEM -outform PEM -in mykeyPKCS8.pem -out mykeyRSA.pem

$ egrep "BEGIN" *.pem
myPKCS8.pem:-----BEGIN PRIVATE KEY-----
mykeyRSA.pem:-----BEGIN RSA PRIVATE KEY-----
 

Comments

Powered by Zendesk