Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3808

FIPS: slave host controller registration doesn't work with default setting

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Minor Minor
    • None
    • 7.0.0.ER6
    • Security
    • None
    • Hide

      0.
      Unzip eap distribution. It means issue occures on default configuration
      1.

      cp -r domain domain1; cp -r domain domain2
      

      2.
      in domain2/configuration/logging.properties (slave host controller) set logging level to TRACE (connection exception is visible on that level)

      3.
      Run master/slave host controller domain

      bin/domain.sh --host-config=host-master.xml -Djboss.domain.base.dir=`pwd`/domain1
      bin/domain.sh --host-config=host-slave.xml -Djboss.domain.base.dir=`pwd`/domain2 -Djboss.domain.master.address=127.0.0.1 -Djboss.management.native.port=10999
      

      4. In slave host controller exception can be seen
      "java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs"

      Show
      0. Unzip eap distribution. It means issue occures on default configuration 1. cp -r domain domain1; cp -r domain domain2 2. in domain2/configuration/logging.properties (slave host controller) set logging level to TRACE (connection exception is visible on that level) 3. Run master/slave host controller domain bin/domain.sh --host-config=host-master.xml -Djboss.domain.base.dir=`pwd`/domain1 bin/domain.sh --host-config=host-slave.xml -Djboss.domain.base.dir=`pwd`/domain2 -Djboss.domain.master.address=127.0.0.1 -Djboss.management. native .port=10999 4. In slave host controller exception can be seen "java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs"

      On default domain configuration slave host controller is unable to register to master host controller. Apparently default SSLContext is created causing "java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs"

      See https://issues.jboss.org/browse/JBEAP-3789 for details.

      Slave / master communication works OK by configuration of SSL/TLS using PKCS11 or http-remoting protocol in domain-controller/remote/discovery-options/static-discovery/protocol

      <domain-controller>
              <remote security-realm="ManagementRealm">
                  <discovery-options>
                      <static-discovery name="primary" protocol="https-remoting" host="${jboss.domain.master.address}" port="${jboss.domain.master.port:9990}"/>
                  </discovery-options>
              </remote>
      </domain-controller>
      

      Is there a way remote protocol can work for slave host controller registration? Looking at remote.stacktrace, is there a way to set org.xnio.Options.SSL_STARTTLS=>false and org.xnio.Options.SSL_ENABLED=>false?

        1. https-remoting.stacktrace
          5 kB
          Martin Choma
        2. remote.stacktrace
          5 kB
          Martin Choma

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: