Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-2514

unable to start in domain mode when the JVM is running in FIPS mode


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.0.0.ER5
    • None
    • Management, Security
    • None

      The server instance fails to connect to the host-controller when the server instance's JVM is configured to run in FIPS mode. Here is the error/exception:

      14:42:48,850 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-17) MSC000001: Failed to start service jboss.host.controller.client: org.jboss.msc.service.StartException in service jboss.host.controller.client: java.io.IOException: JBAS015847: Unable to initialise a basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used'
      at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:132) [jboss-as-server-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4]
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913) [jboss-msc-1.1.5.Final-redhat-1.jar:1.1.5.Final-redhat-1]
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_60]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_60]
      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_60]
      Caused by: java.io.IOException: JBAS015847: Unable to initialise a basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used'
      at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.getAcceptingSSLContext(HostControllerConnectionService.java:207) [jboss-as-server-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4]
      at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:111) [jboss-as-server-7.5.4.Final-redhat-4.jar:7.5.4.Final-redhat-4]
      ... 5 more

      This appears to be happening when the server-instance tries to connect back to the host-controller.

      The interesting thing is that in this instance the host controller and instances are not setup to use SSL/TLS on the management connections, but the server instance still tries to initialize the SSLContext. Also, it looks like the server-instance is configuring a "trust all" trust manager.

      Here is part of the org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start() method:

      public synchronized void start(final StartContext context) throws StartException {
      final Endpoint endpoint = endpointInjector.getValue();
      try {
      final URI connectionURI = new URI("remote://" + NetworkUtils.formatPossibleIpv6Address(hostName) + ":" + port);
      final OptionMap options = OptionMap.create(Options.SASL_DISALLOWED_MECHANISMS, Sequence.of(JBOSS_LOCAL_USER));
      // Create the connection configuration
      final ProtocolConnectionConfiguration configuration = ProtocolConnectionConfiguration.create(endpoint, connectionURI, options);
      configuration.setCallbackHandler(HostControllerConnection.createClientCallbackHandler(userName, initialAuthKey));


      private static SSLContext getAcceptingSSLContext() throws IOException {

      • This connection is only a connection back to the local host controller.
      • The HostController that started this process will have already provided the
      • required information regarding the connection so quietly allow the SSL connection
      • to be established.
        try {
        SSLContext sslContext = SSLContext.getInstance("TLS");
        TrustManager[] trustManagers = new TrustManager[] { new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {

      public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {

      public X509Certificate[] getAcceptedIssuers()

      { return null; }

      } };

      sslContext.init(null, trustManagers, null);

      return sslContext;
      } catch (GeneralSecurityException e)

      { throw ServerMessages.MESSAGES.unableToInitialiseSSLContext(e.getMessage()); }


            mchoma@redhat.com Martin Choma
            rhn-support-dehort Derek Horton
            0 Vote for this issue
            10 Start watching this issue