The WildFly Elytron credential store is hard coded to use a JCEKS KeyStore for it's underlying storage mechanism, once FIPS is enabled support for thie KeyStore type is disabled.
In prior Java versions the security provider that provided support for JCEKS could be added back but with Java 17 the security provider is still present but it is hard coded to disable JCEKS.
We first need to check would an alternative such as PKCS#12 support the types used by the credential store.
If so we can not change our default behaviour as we need to preserve compatibility but we could consider a pattern where if on creation JCEKS is not available we "fall back" to PKCS#12.
On opening the existing credential store we do have a utility to detect the KeyStore type we may be able to use this to detect if we have an underlying JCEKS or PKCS#12 store.
- incorporates
-
ELY-2866 Update "External" mode of the KeyStoreCredentialStore to not use an in memory KeyStore
- Open
-
ELY-2867 KeyStoreCredentialStore looses SecretKey algorithm in external mode
- Coding In Progress
- is cloned by
-
JBEAP-28642 Unable to use credential store on FIPS enabled RHEL 8 with Java 17
- New