Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3789

Using JKS keystore leads to "FIPS mode: KeyStore must be from provider XXX"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Trivial Trivial
    • None
    • 7.0.0.ER6
    • Management, Security
    • None
    • Documentation (Ref Guide, User Guide, etc.)

      User can't start domain in FIPS mode when JKS keystore is used in master <-> slave host controllers communication. (Using PKCS11 keystore works well)

      [Host Controller] 14:05:47,900 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.server.controller.management.security_realm.MasterManagementRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.MasterManagementRealm.key-manager: WFLYDM0018: Unable to start service
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
      [Host Controller]       at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:147)
      [Host Controller]       at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
      [Host Controller]       at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
      [Host Controller]       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      [Host Controller]       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      [Host Controller]       at java.lang.Thread.run(Thread.java:745)
      [Host Controller] Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
      [Host Controller]       at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      [Host Controller]       at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:121)
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:83)
      [Host Controller]       ... 6 more
      

      If I understood from code correctly [1], there is nothing EAP can do about it. Just adding here for reference.

      [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/KeyManagerFactoryImpl.java#65

        1. test.out
          27 kB
          Martin Choma

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: