Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1621

BC FIPS with CLI: the trustAnchors parameter must be non-empty

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Blocker Blocker
    • None
    • 1.5.1.Final
    • SSL
    • None
    • Hide
      • ./standalone.sh
      • create BCFKS keystore keystore.bcfks. It is attached to JIRA as well
        keytool \ 
            -genkeypair\
            -alias appserver\
            -keyalg RSA\ 
            -keysize 2048\
            -keypass password\
            -keystore /pat/to/keystore.bcfks\
            -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\
            -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\
            -storetype BCFKS\
            -storepass password\
            -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\
            -validity 730\
            -v
        
      • run CLI with FIPS java
        ./jboss-cli.sh \
            -c \
            -Dwildfly.config.url=file:///from/attachment/cli-test-wildfly-config.xml \
            --connect \
            :read-attribute\(name=server-state\)
        
      Show
      ./standalone.sh create BCFKS keystore keystore.bcfks. It is attached to JIRA as well keytool \ -genkeypair\ -alias appserver\ -keyalg RSA\ -keysize 2048\ -keypass password\ -keystore /pat/to/keystore.bcfks\ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider\ -providerpath /pat/to/1.0.1/bc-fips-1.0.1.jar\ -storetype BCFKS\ -storepass password\ -dname CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ\ -validity 730\ -v run CLI with FIPS java ./jboss-cli.sh \ -c \ -Dwildfly.config.url=file: ///from/attachment/cli-test-wildfly-config.xml \ --connect \ :read-attribute\(name=server-state\)

      I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.

      08:13:18,469 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: java.lang.ExceptionInInitializerError
              at org.wildfly.security.auth.client.AuthenticationContext.lambda$static$0(AuthenticationContext.java:54)
              at org.wildfly.common.context.ContextManager.getPrivileged(ContextManager.java:286)
              at org.wildfly.security.auth.client.AuthenticationContext.captureCurrent(AuthenticationContext.java:86)
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:146)
              at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
              at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
              at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
              at org.jboss.modules.Module.run(Module.java:352)
              at org.jboss.modules.Module.run(Module.java:320)
              at org.jboss.modules.Main.main(Main.java:593)
      Caused by: org.wildfly.security.auth.client.InvalidAuthenticationConfigurationException: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:40)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.<clinit>(DefaultAuthenticationContextProvider.java:36)
              ... 14 more
      Caused by: org.wildfly.client.config.ConfigXMLParseException: java.security.KeyStoreException: initialization failed
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:525)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextRuleType$11(ElytronXmlParser.java:711)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$13(ElytronXmlParser.java:749)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:356)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:231)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:192)
              at org.wildfly.security.auth.client.DefaultAuthenticationContextProvider.lambda$static$0(DefaultAuthenticationContextProvider.java:38)
              ... 16 more
      Caused by: java.security.KeyStoreException: initialization failed
              at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:150)
              at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250)
              at org.wildfly.security.auth.client.ElytronXmlParser$TrustManagerBuilder.build(ElytronXmlParser.java:590)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseSslContextType$10(ElytronXmlParser.java:523)
              ... 22 more
      Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
              at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
              at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
              at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
              at org.bouncycastle.jsse.provider.ProvX509TrustManagerImpl.<init>(ProvX509TrustManagerImpl.java:53)
              at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:146)
              ... 25 more
      

      When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
      I have double check truststore is there. Correct password is used. Server has permission to open the truststure. And truststore contains certificate
      When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.

      So it looks to me something on client side is missing? Any hint?

        1. cli-test-wildfly-config.xml
          1 kB
          Martin Choma
        2. jboss-cli.log
          13 kB
          Martin Choma
        3. keystore.bcfks
          3 kB
          Martin Choma

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: