Trivial Reproducer:
1. Set java into FIPS mode according to https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/single/how-to-configure-server-security/#configure-ssl-fips-rhel6
2. Unzip EAP. Run ./standalone.sh with java in FIPS mode
10:51:45,014 ERROR [org.xnio.listener] (default I/O-6) XNIO001007: A channel event listener threw an exception: java.lang.RuntimeException: WFLYDM0114: Failed to lazily initialize SSL context
at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:231)
at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.engineCreateSSLEngine(SSLContextService.java:257)
at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361)
at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:139)
at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:56)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
Caused by: java.lang.RuntimeException: WFLYDM0112: Failed to generate self signed certificate
at org.jboss.as.domain.management.security.FileKeyManagerService.generateFileKeyStore(FileKeyManagerService.java:218)
at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:184)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:125)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.getKeyManagers(AbstractKeyManagerService.java:104)
at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:228)
... 12 more
Caused by: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
at sun.security.provider.KeyProtector.protect(KeyProtector.java:174)
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:267)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at org.jboss.as.domain.management.security.FileKeyManagerService.generateFileKeyStore(FileKeyManagerService.java:211)
... 16 more
It is not suprising. It is because in EAP 7.1 default https listener was introduced based on JKS keystore. Even if we get over keystore generation, we would hit https://issues.jboss.org/browse/JBEAP-3789.
According to developers it is feature, not a bug [1]. Probably nothing can be done here from developers perspective and I am raising thiss issue mainly for tracking purpose and as base for documentation JIRA.
[1] http://lists.jboss.org/pipermail/wildfly-dev/2016-June/005086.html
- is blocked by
-
JBEAP-7245 [7.1] Migration guide: Add FIPS mode notes
-
- Closed
-
-
-
- Closed
-
- relates to
-
JBEAP-4120 FIPS mode issues
-
- Resolved
-