Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1621

BC FIPS with CLI: the trustAnchors parameter must be non-empty

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Blocker
    • None
    • 1.5.1.Final
    • SSL
    • None
    • Hide
      • ./standalone.sh
      • create BCFKS keystore keystore.bcfks. It is attached to JIRA as well 
        keytool \ 
    -genkeypair\
    -alias appserver\
    -keyalg RSA\ 
    -keysize 2048\
    -keypass password\
    -keystore /pat/to/keystore.bcfks\
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\
    -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\
    -storetype BCFKS\
    -storepass password\
    -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\
    -validity 730\
    -v
      • run CLI with FIPS java 
        ./jboss-cli.sh \
    -c \
    -Dwildfly.config.url=file:///from/attachment/cli-test-wildfly-config.xml \
    --connect \
    :read-attribute\(name=server-state\)
      Show
      ./standalone.sh create BCFKS keystore keystore.bcfks. It is attached to JIRA as well keytool \ -genkeypair\ -alias appserver\ -keyalg RSA\ -keysize 2048\ -keypass password\ -keystore /pat/to/keystore.bcfks\ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\ -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\ -storetype BCFKS\ -storepass password\ -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\ -validity 730\ -v run CLI with FIPS java ./jboss-cli.sh \ -c \ -Dwildfly.config.url=file: ///from/attachment/cli-test-wildfly-config.xml \ --connect \ :read-attribute\(name=server-state\)

    Description

      I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.

      08:13:18,469 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
        at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
        at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
        at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
        at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
        at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
        at org.jboss.modules.Module.run(Module.java:352)
        at org.jboss.modules.Module.run(Module.java:320)
        at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
        ... 14 more
Caused by: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:525)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextRuleType$11(ElytronXmlParser.java:711)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$13(ElytronXmlParser.java:749)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:356)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:231)
        at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:192)
        at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
        ... 16 more
Caused by: java.security.KeyStoreException: initialization failed
        at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:150)
        at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250)
        at org.wildfly.security.auth.client.ElytronXmlParser$TrustManagerBuilder.build(ElytronXmlParser.java:590)
        at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:523)
        ... 22 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at org.bouncycastle.jsse.provider.ProvX509TrustManagerImpl.<init>(ProvX509TrustManagerImpl.java:53)
        at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:146)
        ... 25 more

      When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
      I have double check truststore is there. Correct password is used. Server has permission to open the truststure. And truststore contains certificate
      When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.

      So it looks to me something on client side is missing? Any hint?

      Attachments

        1. cli-test-wildfly-config.xml
          1 kB
        2. jboss-cli.log
          13 kB
        3. keystore.bcfks
          3 kB

        Activity

          People

            Unassigned Unassigned
            mchoma@redhat.com Martin Choma
            Farah Juma
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: