Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-28497

Unable to use credential store on FIPS enabled RHEL 8 with Java 17

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Security
    • None
    • False
    • None
    • False

      The WildFly Elytron credential store is hard coded to use a JCEKS KeyStore for it's underlying storage mechanism, once FIPS is enabled support for thie KeyStore type is disabled.

      In prior Java versions the security provider that provided support for JCEKS could be added back but with Java 17 the security provider is still present but it is hard coded to disable JCEKS.

      We first need to check would an alternative such as PKCS#12 support the types used by the credential store.

      If so we can not change our default behaviour as we need to preserve compatibility but we could consider a pattern where if on creation JCEKS is not available we "fall back" to PKCS#12.

      On opening the existing credential store we do have a utility to detect the KeyStore type we may be able to use this to detect if we have an underlying JCEKS or PKCS#12 store.

              darran.lofthouse@redhat.com Darran Lofthouse
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: