Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11744

CLI with PKCS11 keystore cannot connect to server and throws java.security.KeyManagementException

XMLWordPrintable

      When trying to connect with CLI to server using PKCS11 (and FIPS):

      • CLI can connect with the old workaround described in 7.0 documentation
        JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
        JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
        
      • When providing -Dwildfly.config.url, no matter what's in the path (even if it's non-existent file), CLI throws following error:
        java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used: FIPS mode: only SunJSSE TrustManagers may be used
        
      • If I set up BOTH the JAVA_OPTS and wildfly-config.xml, the config is parsed properly (throwing errors in case of wrong path, malformed xml etc.) and CLI connects successfully.

      I'm marking it as a blocker now, since this is basically the functionality required by EAP7-610. But the old workaround still works just fine, so I think this isn't high priority if we're ok to postpone the RFE.

        1. standalone.xml
          31 kB
        2. cli-wildfly-config.xml
          1 kB
        3. trace-logs.zip
          48 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              msvehla@redhat.com Martin Svehla
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: