Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
Description
When urunning RHEL in FIPS mode ( fips-mode-setup --enable ) with preconfigured fips providers and preconfigured `/etc/pki/nssdb` , the credential store of type PKCS#11 cannot have an alias added. See the below steps and the exception:
/subsystem=elytron/credential-store=cs:add(location=/path/to/cs, relative-to=jboss.server.data.dir,implementation-properties=\{"keyStoreType"=>"PKCS11","keyAlias"=>"cs_key"},credential-reference=\{clear-text=pass123+},create=true)
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/credential-store=cs:add-alias(alias=a)
{
"outcome" => "failed",
"failure-description" => "WFLYELY00009: Unable to complete operation. 'ELY09508: Cannot write credential to store->Cannot convert to PKC
S11 keys->Unknown algorithm 1.2.840.113549.1.7.1'",
"rolled-back" => true
}
In server log:
14:10:30,176 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add-alias") failed - address: ([ ("subsystem" => "elytron"), ("credential-store" => "8a") ]) - failure description: "WFLYELY00009: Unable to complete operation. 'ELY09508: Cannot write credential to store->Cannot convert to PKCS11 keys->Unknown algorithm 1.2.840.113549.1.7.1'"
Adding of alias to the credential store works when RHEL is not running in FIPS mode but the PKCS#11 provider is configured with FIPS and NSS DB
Attachments
Issue Links
- relates to
-
JBEAP-24104 (docs) Add a warning for credential store with FIPS enabled RHEL
-
- New
-