Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1622

BC FIPS with CLI: SunX509 KeyManagerFactory not available

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 1.5.1.Final
    • Fix Version/s: 1.5.2.Final
    • Component/s: SSL
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • ./standalone.sh
      • run CLI with FIPS java
        ./jboss-cli.sh \
            -c \
            -Dwildfly.config.url=file:///from/attachment/cli-test-wildfly-config.xml \
            --connect \
            :read-attribute\(name=server-state\)
        
      Show
      ./standalone.sh run CLI with FIPS java ./jboss-cli.sh \ -c \ -Dwildfly.config.url=file: ///from/attachment/cli-test-wildfly-config.xml \ --connect \ :read-attribute\(name=server-state\)
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      set ssl.KeyManagerFactory.algorithm=X509 in java.security file

      Show
      set ssl.KeyManagerFactory.algorithm=X509 in java.security file

      Description

      I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.

      11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
              at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
              at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
              at org.jboss.modules.Module.run(Module.java:352)
              at org.jboss.modules.Module.run(Module.java:320)
              at org.jboss.modules.Main.main(Main.java:593)
      Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
              ... 5 more
      Caused by: java.io.IOException: Failed to obtain SSLContext
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
              at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
              ... 8 more
      Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
              at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
              at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
              at javax.net.ssl.SSLContext.init(SSLContext.java:282)
              at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
              at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
              at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
              at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
              ... 10 more
      Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
              at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
              at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
              at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
              ... 17 more
      

      When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
      When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.

      I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
      BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  fjuma Farah Juma
                  Reporter:
                  mchoma Martin Choma
                  Need Info from:
                  Farah Juma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: