Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1982

TLS with BCJSSE Provider does not work

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 1.13.0.CR2
    • SSL
    • None
    • Hide
      • drop two bc fips jars into java.home/jre/lib/ext
        • bc-fips-1.0.2.jar
        • bctls-fips-1.0.10.jar
      • configure providers in java.security:
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
        security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
        security.provider.3=sun.security.provider.Sun
        
      • create BCFKS keystore in standalone/configuration:
        keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v
      • configure server-ssl-context:
        /subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir,type="BCFKS",credential-reference={clear-text=password})
        /subsystem=elytron/key-manager=bcfks_keymanager:add(key-store=bcfks_keystore,credential-reference={clear-text=password},algorithm=X509)
        /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=bcfks_keymanager,need-client-auth=false)
        
      Show
      drop two bc fips jars into java.home/jre/lib/ext bc-fips-1.0.2.jar bctls-fips-1.0.10.jar configure providers in java.security: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun create BCFKS keystore in standalone/configuration: keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.1.jar -storetype BCFKS -storepass password -dname "CN=testserver,OU=TESTOU,O=TESTO,L=TESTL,ST=TESTCZ,C=TESTCZ" -validity 730 -v configure server-ssl-context: /subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir,type= "BCFKS" ,credential-reference={clear-text=password}) /subsystem=elytron/key-manager=bcfks_keymanager:add(key-store=bcfks_keystore,credential-reference={clear-text=password},algorithm=X509) /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=bcfks_keymanager,need-client-auth= false )

    Description

      Configuration of `server-ssl-context` does not seem to work with BCJSSE Provider. The steps above work for EAP 7.2, however they throw the following error in EAP 7.3:

      ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
      ("subsystem" => "elytron"),
      ("server-ssl-context" => "server-ssl-context")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.server-ssl-context" => "Failed to start service
      Caused by: java.lang.IllegalStateException: SSLContext has not been initialized."}}

      Stacktrace:

      ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.server-ssl-context: Failed to start service
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
      at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.IllegalStateException: SSLContext has not been initialized.
      at org.bouncycastle.jsse.provider.ProvSSLContextSpi.getContextData(Unknown Source)
      at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineGetServerSessionContext(Unknown Source)
      at javax.net.ssl.SSLContext.getServerSessionContext(SSLContext.java:386)
      at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
      at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
      at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1173)
      at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
      ... 6 more

      Attachments

        Activity

          People

            dvilkola@redhat.com Diana Krepinska
            dvilkola@redhat.com Diana Krepinska
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: