VIP Auth Hub: RSA public key is not available client side (option serverRsaPublicKeyFile not set)
search cancel

VIP Auth Hub: RSA public key is not available client side (option serverRsaPublicKeyFile not set)

book

Article ID: 379595

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

During VIP Auth Hub deployment, specifying DB SSL setting of "DISABLED" results in error "RSA public key is not available client side" connection failure.

values.yaml

=============================

ssp:

  db:
   enabled: false
   # possible values of "sslMode" are: DISABLED, PREFFERED, REQUIRED, VERIFY_CA or VERIFY_IDENTITY
   sslMode: DISABLED
   existingSslSecret:
   existingSecret:

When VIP Auth Hub is trying to connect to a mysql database server with a mysql user that is using 
"caching_sha2_password" (as opposed to "mysql_native_password"), the database connection fails with: RSA public key is not available client side (option serverRsaPublicKeyFile not set)

ssp-ssp-dataseed-job-lkhx9-ssp-db-init.log

yyyy-mm-ddT07:56:24.082Z  WARN 1 --- [dbinit] [main] s.c.a.AnnotationConfigApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Failed to initialize dependency 'dataSourceScriptDatabaseInitializer' of LoadTimeWeaverAware bean 'entityManagerFactory': Error creating bean with name 'dataSourceScriptDatabaseInitializer' defined in class path resource [org/springframework/boot/autoconfigure/sql/init/DataSourceInitializationConfiguration.class]: Unsatisfied dependency expressed through method 'dataSourceScriptDatabaseInitializer' parameter 0: Error creating bean with name 'dataSource' defined in class path resource [com/broadcom/layer7authentication/persistence/DataSourceConfig.class]: Failed to instantiate [javax.sql.DataSource]: Factory method 'dataSource' threw exception with message: Failed to initialize pool: Could not connect to address=(host=xxxxx)(port=xxxx)(type=master) : RSA public key is not available client side (option serverRsaPublicKeyFile not set)

Environment

VIP Auth Hub:3.2.1.1121

Cause

The mysql user of VIP Auth Hub should be created using "mysql_native_password"  ( not "caching_sha2_password" ).

The following SQL command will show the plugin ("caching_sha2_password" or "mysql_native_password" ) for the mysql user that is used by VIP Auth Hub:

=======================

select user, host, plugin from mysql.user;
=======================

Resolution

This is a configuration error.

VIP Auth Hub should not use the mysql 'root' user for connecting to the mysql database ( in the custom helm values yaml ).

VIP Auth Hub should use the mysql 'ssp' user for connecting to the mysql database.

Check deployment command (kubectl run -it --rm --image=mysql:8.0.26 --restart=Never mysql-client -- mysql -h xxx -u xxx -e"CREATE DATABASE IF NOT EXISTS.....), ensure using the mysql 'ssp' user and with its native password mechanism.

As a temporary workaround one could also add the following in values.yaml:

=============================

ssp:

  db:
   jdbcUrl: "jdbc:mysql://mysql:port/ssp"
   jdbcOpts: "allowPublicKeyRetrieval=true&useSSL=false"

=============================

Powered by Wolken Software