Java Keytool fun with x86 and s390x machines

It is always a nice feeling when something working one moment and then the next it doesn’t when nothing seemingly changes. At least that is my story and I’m sticking to it.

So while I was out on vacation, well prior to, I gave instructions to my colleagues on how to do a simple update to our RPM spec (running RHEL 6 obvi) and I knew it worked, because I tested it. Anyways, my instructions were simple and all they had to do was run the rpm after they built in on the s390x boxes. No problem right? Wrong… The RPM built and installed fine, but the keystore (baked into rpm) could not be decrypted using the same credentials as always.


$ keytool -list -v -alias myalias -keystore my.keystore -storetype jceks -keyalg AES
keytool error (likely untranslated): java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector

Weird… So I was able to narrow the issue to the JDK versions, because I was able to decrypt the keystore on x86 box without issue, but when I copied over to s390x the same keystore couldn’t be decrypted with the same params…

Now you’re probably thinking, what that is so obvious these are two different architectures, duh. Well, I would agree however I couldn’t imagine that the implementation of the encryption algorithims would change and/or be incompatible between archs AND when I created the rpm initially I tested that the keystore could be decrypted on both machines…

Anyway, lesson learned always make sure to build your keystores in each architecture.

🙂

Advertisements

Author: jasonmarley

I have been with Red Hat since 2010 and love it! My day to day is consulting on RHEL/JBoss/OpenShift, but I work on open source projects in my free time. The best part about my job are my awesome colleagues and our community.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s