Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-23297

Unable to create external credential-store using elytron-tool on FIPS-configured JDK

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Can't Do
    • Icon: Major Major
    • None
    • 8.0.0.Alpha
    • Security
    • None
    • False
    • False
    • Hide

      Configure FIPS JDK

      Create nss database:

      • $ sudo mkdir -p /usr/share/jboss-as
      • $ sudo chown $USER:$USER /usr/share/jboss-as/
      • $ mkdir /usr/share/jboss-as/fipsdb
      • $ modutil  -create -dbdir /usr/share/jboss-as/fipsdb

      Create nss configuration file with following content:

      name = nss-fips
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /usr/share/jboss-as/fipsdb
nssModule = fips
nssDbMode = readWrite

      Enable SunPKCS11 provider:

      • Modify java.security file (located eg. in $JAVA_HOME/jre/lib/security/java.security or `$JAVA_HOME/conf/security/java.security`) file to have the provider on the first position:
        security.provider.1=SunPKCS11 /usr/share/jboss-as/nss.cfg
      • Any other security.provider.X lines in this file must have the value of their X increased by one to ensure that this provider is given priority.
      • Modify java.security file’s provider com.sun.net.ssl.internal.ssl.Provider to use the PKCS#11 keystore we are configuring right now.
        Resulting row should look like the following(numbering can differ):
        security.provider.5=SunJSSE SunPKCS11-nss-fips

      Enable FIPS mode for NSS library and set password:

      • $ modutil -fips true -dbdir /usr/share/jboss-as/fipsdb
      • $ modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /usr/share/jboss-as/fipsdb

      Create secmod.db if it does not exist:

      • $ modutil -fips true -dbdir /usr/share/jboss-as/fipsdb

      Run elytron-tool using FIPS JDK

      Create secret key:

      • keytool -genseckey -alias my-key -storetype PKCS11

      Run elytron-tool

      • $ cd $JBOSS_HOME/bin
      • $ touch /tmp/eltool-test
      • $ /bin/bash elytron-tool.sh credential-store --create --add secret-key --secret pass123+ --password pass123+ --location /tmp/eltool-test --properties "keyStoreType=PKCS11;external=true;keyAlias=my-key;externalPath=/tmp/result,cryptoAlg=bcrypt" --debug

      Note that --location option is required because of JBEAP-23163

      Expected output

      Alias "my-key" has been successfully stored

      Actual output

       Exception encountered executing the command:
org.wildfly.security.credential.store.CredentialStoreException: ELY09508: Cannot write credential to store
    at org.wildfly.security.elytron-base@1.18.0.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:413)
    at org.wildfly.security.elytron-base@1.18.0.Final//org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:242)
    at org.wildfly.security.elytron-base@1.18.0.Final//org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:226)
    at org.wildfly.security.elytron-tool@1.18.0.Final//org.wildfly.security.tool.CredentialStoreCommand.addAlias(CredentialStoreCommand.java:510)
    at org.wildfly.security.elytron-tool@1.18.0.Final//org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:421)
    at org.wildfly.security.elytron-tool@1.18.0.Final//org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
    at org.jboss.modules.Module.run(Module.java:353)
    at org.jboss.modules.Module.run(Module.java:321)
    at org.jboss.modules.Main.main(Main.java:604)
Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"
    at org.wildfly.security.elytron-base@1.18.0.Final//org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:123)
    at org.wildfly.security.elytron-base@1.18.0.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:287)
    ... 8 more
      Show
      Configure FIPS JDK Create nss database: $ sudo mkdir -p /usr/share/jboss-as $ sudo chown $USER:$USER /usr/share/jboss-as/ $ mkdir /usr/share/jboss-as/fipsdb $ modutil  -create -dbdir /usr/share/jboss-as/fipsdb Create nss configuration file with following content: name = nss-fips nssLibraryDirectory = /usr/lib64 nssSecmodDirectory = /usr/share/jboss-as/fipsdb nssModule = fips nssDbMode = readWrite Enable SunPKCS11 provider: Modify java.security file (located eg. in $JAVA_HOME/jre/lib/security/java.security or `$JAVA_HOME/conf/security/java.security`) file to have the provider on the first position: security.provider.1=SunPKCS11 /usr/share/jboss-as/nss.cfg Any other security.provider.X lines in this file must have the value of their X increased by one to ensure that this provider is given priority. Modify java.security file’s provider com.sun.net.ssl.internal.ssl.Provider to use the PKCS#11 keystore we are configuring right now. Resulting row should look like the following(numbering can differ): security.provider.5=SunJSSE SunPKCS11-nss-fips Enable FIPS mode for NSS library and set password: $ modutil -fips true -dbdir /usr/share/jboss-as/fipsdb $ modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /usr/share/jboss-as/fipsdb Create secmod.db if it does not exist: $ modutil -fips true -dbdir /usr/share/jboss-as/fipsdb Run elytron-tool using FIPS JDK Create secret key: keytool -genseckey -alias my-key -storetype PKCS11 Run elytron-tool $ cd $JBOSS_HOME/bin $ touch /tmp/eltool-test $ /bin/bash elytron-tool.sh credential-store --create --add secret-key --secret pass123+ --password pass123+ --location /tmp/eltool-test --properties "keyStoreType=PKCS11;external=true;keyAlias=my-key;externalPath=/tmp/result,cryptoAlg=bcrypt" --debug Note that --location option is required because of JBEAP-23163 Expected output Alias "my-key" has been successfully stored Actual output Exception encountered executing the command: org.wildfly.security.credential.store.CredentialStoreException: ELY09508: Cannot write credential to store     at org.wildfly.security.elytron-base@1.18.0.Final //org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:413)     at org.wildfly.security.elytron-base@1.18.0.Final //org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:242)     at org.wildfly.security.elytron-base@1.18.0.Final //org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:226)     at org.wildfly.security.elytron-tool@1.18.0.Final //org.wildfly.security.tool.CredentialStoreCommand.addAlias(CredentialStoreCommand.java:510)     at org.wildfly.security.elytron-tool@1.18.0.Final //org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:421)     at org.wildfly.security.elytron-tool@1.18.0.Final //org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)     at org.jboss.modules.Module.run(Module.java:353)     at org.jboss.modules.Module.run(Module.java:321)     at org.jboss.modules.Main.main(Main.java:604) Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"     at org.wildfly.security.elytron-base@1.18.0.Final //org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:123)     at org.wildfly.security.elytron-base@1.18.0.Final //org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:287)     ... 8 more

      Unable to create external credential-store using elytron-tool on FIPS-configured JDK

              Unassigned Unassigned
              rhn-support-ngibor Nikita Gibor (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: