Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4587

[GSS](7.0.z) remotingjmx client fails to work when the JVM is running in FIPS mode

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • 7.0.0.GA
    • Security
    • None
    • Hide

      Reproducer notes:

      1) Configure the JVM in FIPS mode

      2) Create a remote JMX connection within a deployed application:

      private void testRemoteJMX() {
      try

      { java.util.HashMap environment = new java.util.HashMap(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnector jmxc = JMXConnectorFactory.connect(url, environment); }

      catch( Exception e )

      { System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); }

      }

      Show
      Reproducer notes: 1) Configure the JVM in FIPS mode 2) Create a remote JMX connection within a deployed application: private void testRemoteJMX() { try { java.util.HashMap environment = new java.util.HashMap(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnector jmxc = JMXConnectorFactory.connect(url, environment); } catch( Exception e ) { System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); } }

    Description

      The remotingjmx client fails to work when the JVM is running in FIPS mode. There doesn't appear to be a way to configure the keystore and truststore. As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:

      java.io.IOException: Failed to configure SSL
      at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
      at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
      at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
      at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
      at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
      at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
      at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
      at javax.servlet.GenericServlet.init(GenericServlet.java:242)
      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
      at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
      at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
      at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)
      at ...asynchronous invocation...(Unknown Source)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
      at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
      at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
      at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
      at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
      at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
      at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
      at javax.servlet.GenericServlet.init(GenericServlet.java:242)
      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
      at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
      at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
      at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
      at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      at org.jboss.threads.JBossThread.run(JBossThread.java:122)
      Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
      at java.security.Provider$Service.newInstance(Provider.java:1617)
      at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
      at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
      at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
      at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
      at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
      at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
      at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
      at org.xnio.Xnio.getSslProvider(Xnio.java:209)
      at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
      at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
      ... 23 more
      Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
      at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
      at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
      at java.security.Provider$Service.newInstance(Provider.java:1595)
      ... 33 more

      [reply] [−] Private Comment 1 dhorton@redhat.com 2016-05-12 13:36:52 EDT
      Workaround:

      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"

      This will expose the keystore password in the process listing. Use the vault system to hide the keystore password.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10873 Elytron, JMX client fails to work when the JVM is running in FIPS mode

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jondruse@redhat.com Jiri Ondrusek
              rhn-support-dehort Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: