Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6106

FIPS mode: Fresh EAP doesn't start with java in FIPS mode

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 7.1.0.DR5
    • Fix Version/s: None
    • Component/s: Security
    • Labels:

      Description

      Reproducer:
      1. Set java into FIPS mode according to https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/single/how-to-configure-server-security/#configure-ssl-fips-rhel6
      2. Unzip EAP. Run ./standalone.sh with java in FIPS mode

      10:51:45,014 ERROR [org.xnio.listener] (default I/O-6) XNIO001007: A channel event listener threw an exception: java.lang.RuntimeException: WFLYDM0114: Failed to lazily initialize SSL context
      	at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:231)
      	at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.engineCreateSSLEngine(SSLContextService.java:257)
      	at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361)
      	at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:139)
      	at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:56)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
      	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
      Caused by: java.lang.RuntimeException: WFLYDM0112: Failed to generate self signed certificate
      	at org.jboss.as.domain.management.security.FileKeyManagerService.generateFileKeyStore(FileKeyManagerService.java:218)
      	at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:184)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:125)
      	at org.jboss.as.domain.management.security.AbstractKeyManagerService.getKeyManagers(AbstractKeyManagerService.java:104)
      	at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:228)
      	... 12 more
      Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
      	at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
      	at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267)
      	at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
      	at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
      	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
      	at org.jboss.as.domain.management.security.FileKeyManagerService.generateFileKeyStore(FileKeyManagerService.java:211)
      	... 16 more
      

      It is not suprising. It is because in EAP 7.1 default https listener was introduced based on JKS keystore. Even if we get over keystore generation, we would hit https://issues.jboss.org/browse/JBEAP-3789.
      According to developers it is feature, not a bug [1]. Probably nothing can be done here from developers perspective and I am raising thiss issue mainly for tracking purpose and as base for documentation JIRA.

      [1] http://lists.jboss.org/pipermail/wildfly-dev/2016-June/005086.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mchoma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: