Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4587

[GSS](7.0.z) remotingjmx client fails to work when the JVM is running in FIPS mode

    Details

    • Type: Bug
    • Status: Pull Request Sent (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0.GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      Reproducer notes:

      1) Configure the JVM in FIPS mode

      2) Create a remote JMX connection within a deployed application:

      private void testRemoteJMX() {
      try

      { java.util.HashMap environment = new java.util.HashMap(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnector jmxc = JMXConnectorFactory.connect(url, environment); }

      catch( Exception e )

      { System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); }

      }

      Show
      Reproducer notes: 1) Configure the JVM in FIPS mode 2) Create a remote JMX connection within a deployed application: private void testRemoteJMX() { try { java.util.HashMap environment = new java.util.HashMap(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnector jmxc = JMXConnectorFactory.connect(url, environment); } catch( Exception e ) { System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); } }

      Description

      The remotingjmx client fails to work when the JVM is running in FIPS mode. There doesn't appear to be a way to configure the keystore and truststore. As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:

      java.io.IOException: Failed to configure SSL
      at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
      at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
      at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
      at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
      at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
      at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
      at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
      at javax.servlet.GenericServlet.init(GenericServlet.java:242)
      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
      at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
      at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
      at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)
      at ...asynchronous invocation...(Unknown Source)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
      at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
      at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
      at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
      at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
      at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
      at javax.servlet.GenericServlet.init(GenericServlet.java:242)
      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
      at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
      at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
      at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)
      Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
      at java.security.Provider$Service.newInstance(Provider.java:1617)
      at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
      at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
      at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
      at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
      at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
      at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
      at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
      at org.xnio.Xnio.getSslProvider(Xnio.java:209)
      at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
      ... 23 more
      Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
      at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
      at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
      at java.security.Provider$Service.newInstance(Provider.java:1595)
      ... 33 more

      [reply] [−] Private Comment 1 dhorton@redhat.com 2016-05-12 13:36:52 EDT
      Workaround:

      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"

      This will expose the keystore password in the process listing. Use the vault system to hide the keystore password.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jondruse Jiri Ondrusek
                  Reporter:
                  dehort Derek Horton
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated: