Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4417

FIPS mode: Setting jsse element in security domain with JKS keystore leads to exception.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Trivial Trivial
    • None
    • 7.0.0.CR1
    • Security
    • None
    • Hide
      • /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server)
      • exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup
      Show
      /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server) exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup

      Steps to reproduce:

      • Configure JSK keystore in jsse element in security domain 
         /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server)
      • exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup

      Probably there is nothing eap can do about that as java makes this check [1]. Just adding here for reference.

      [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/KeyManagerFactoryImpl.java#65

      17:04:42,192 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.security.security-domain.service: org.jboss.msc.service.StartException in service jboss.security.security-domain.service: WFLYSEC0012: Unable to start the SecurityDomainService service
	at org.jboss.as.security.service.SecurityDomainService.start(SecurityDomainService.java:105)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.jboss.security.JBossJSSESecurityDomain.loadKeyAndTrustStore(JBossJSSESecurityDomain.java:488)
	at org.jboss.security.JBossJSSESecurityDomain.reloadKeyAndTrustStore(JBossJSSESecurityDomain.java:335)
	at org.jboss.as.security.service.SecurityDomainService.start(SecurityDomainService.java:102)
	... 5 more

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: