Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4033

FIPS mode: You can't configure 2 PKCS11 keystores

    XMLWordPrintable

Details

    Description

      Administrator can't configure PKCS11 keystore in 2 realms. When he tries EAP doesn't start. It can cause problems in case there is such need, because of one realm used in one subsystem have to be set in different way than realm used in another subsystem.

      09:58:03,331 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.server.controller.management.security_realm.FIPSManagementRealm2.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.FIPSManagementRealm2.key-manager: Failed to start service
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.ProviderException: java.security.KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0xf5e418eec534a3d05757b86500595eb919698f2d
	at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:330)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:121)
	at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:83)
	at org.jboss.as.domain.management.security.ProviderKeyManagerService.start(ProviderKeyManagerService.java:71)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
	... 3 more
Caused by: java.security.KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID 0xf5e418eec534a3d05757b86500595eb919698f2d
	at sun.security.pkcs11.P11KeyStore.getTokenObject(P11KeyStore.java:2235)
	at sun.security.pkcs11.P11KeyStore.engineGetKey(P11KeyStore.java:310)
	... 12 more

      REPRODUCER
      1.

      /core-service=management/security-realm=FIPSManagementRealm:add
/core-service=management/security-realm=FIPSManagementRealm/server-identity=ssl:add(keystore-provider=PKCS11, keystore-password=pass123+)

/core-service=management/security-realm=FIPSManagementRealm2:add
/core-service=management/security-realm=FIPSManagementRealm2/server-identity=ssl:add(keystore-provider=PKCS11, keystore-password=pass123+)

reload 

shutdown --restart=true

      2.
      There is error in log "KeyStoreException: invalid KeyStore state: found 2 private keys sharing CKA_ID"

      Attachments

        Issue Links

          blocks

          Tracker - Issue tracking a bug fix or improvement in another component JBEAP-4120 FIPS mode issues

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: