UAA Server Fails to Start with java.lang.ClassCastException when Parsing serviceProviderKey
search cancel

UAA Server Fails to Start with java.lang.ClassCastException when Parsing serviceProviderKey

book

Article ID: 297606

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

Symptoms:

UAA server fails to start with the following exception:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'identityZoneConfigurationBootstrap' defined in ServletContext resource [/WEB-INF/spring-servlet.xml]: Invocation of init method failed; nested exception is java.lang.ClassCastException: org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey cannot be cast to java.security.KeyPair


Followed By

Caused by: java.lang.ClassCastException: org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey cannot be cast to java.security.KeyPair
        at org.cloudfoundry.identity.uaa.util.KeyWithCert.(KeyWithCert.java:23)
        at org.cloudfoundry.identity.uaa.zone.GeneralIdentityZoneConfigurationValidator.validate(GeneralIdentityZoneConfigurationValidator.java:32)
        at org.cloudfoundry.identity.uaa.zone.GeneralIdentityZoneValidator.validate(GeneralIdentityZoneValidator.java:37)
        at org.cloudfoundry.identity.uaa.impl.config.IdentityZoneConfigurationBootstrap.afterPropertiesSet(IdentityZoneConfigurationBootstrap.java:97)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1637)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1574)
        ... 167 more


 

Environment


Cause

During startup UAA will load "/var/vcap/job/uaa/config/login.yaml" to populate "/WEB-INF/spring-servlet.xml" with the "serviceProviderKey" information. Cast exception is thrown here during the IdentityZoneValidation step, because the Private key is in PKCS8INF format which can not be cast to type java.security.KeyPair

Example of PKCS8INF format :

-----BEGIN PRIVATE KEY-----
.
.
-----END PRIVATE KEY-----

 

Resolution

The following table describes the supported private key types for the login.saml.serviceProviderKey value in the cf manifest file: 

TypeExample
RSA-----BEGIN RSA PRIVATE KEY-----
DSA-----BEGIN DSA PRIVATE KEY-----

Here is an example of how you can convert the existing PKCS8 private key into a supported PKCS1 RSA format

$ openssl rsa -inform PEM -outform PEM -in mykeyPKCS8.pem -out mykeyRSA.pem

$ egrep "BEGIN" *.pem
myPKCS8.pem:-----BEGIN PRIVATE KEY-----
mykeyRSA.pem:-----BEGIN RSA PRIVATE KEY-----
 
 


Powered by Wolken Software