-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
7.0.0.GA
-
None
The remotingjmx client fails to work when the JVM is running in FIPS mode. There doesn't appear to be a way to configure the keystore and truststore. As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:
java.io.IOException: Failed to configure SSL
at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
at javax.servlet.GenericServlet.init(GenericServlet.java:242)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
at javax.servlet.GenericServlet.init(GenericServlet.java:242)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1617)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
at org.xnio.Xnio.getSslProvider(Xnio.java:209)
at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
... 23 more
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.security.Provider$Service.newInstance(Provider.java:1595)
... 33 more
[reply] [−] Private Comment 1 dhorton@redhat.com 2016-05-12 13:36:52 EDT
Workaround:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
This will expose the keystore password in the process listing. Use the vault system to hide the keystore password.
- is cloned by
-
-
- Closed
-