Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8825

org.jboss.as.domain-management does not permit non-JKS file keystore

    XMLWordPrintable

Details

    • Hide

      Customers can secure the management interface with a FIPS 140-2 certified provider only on RHEL.

      Show
      Customers can secure the management interface with a FIPS 140-2 certified provider only on RHEL.
    • Hide
      • configured java to use BouncyCastleFipsProvider
      java.security
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
      • Generate BCFKS keystore
      keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.0.jar -storetype BCFKS -storepass password -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v
      • Configure https for undertwo in legacy way 
                    <security-realm name="ManagementRealmHTTPS">
                <server-identities>
                    <ssl protocol="TLS">
                        <engine enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1 TLSv1.1 TLSv1.2"/>
                        <keystore provider="BCFKS" path="keystore.bcfks" relative-to="jboss.server.config.dir" keystore-password="password" alias="appserver" key-password="password"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <properties path="https-mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>

      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm, value=ManagementRealmHTTPS)
      Show
      configured java to use BouncyCastleFipsProvider java.security security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=sun.security.provider.Sun security.provider.3=sun.security.rsa.SunRsaSign security.provider.4=sun.security.ec.SunEC security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS security.provider.6=com.sun.crypto.provider.SunJCE security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC Generate BCFKS keystore keytool -genkeypair -alias appserver -keyalg RSA -keysize 2048 -keypass password -keystore "keystore.bcfks" -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.0.jar -storetype BCFKS -storepass password -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v Configure https for undertwo in legacy way <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl protocol= "TLS" > <engine enabled-cipher-suites= "SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA" enabled-protocols= "TLSv1 TLSv1.1 TLSv1.2" /> <keystore provider= "BCFKS" path= "keystore.bcfks" relative-to= "jboss.server.config.dir" keystore-password= "password" alias= "appserver" key-password= "password" /> </ssl> </server-identities> <authentication> <properties path= "https-mgmt-users.properties" relative-to= "jboss.server.config.dir" /> </authentication> </security-realm> /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm, value=ManagementRealmHTTPS) Access https://localhost:8443

    Description

      org.jboss.as.domain-management subsystem only enables users to specify either a `provider` attribute or a `keystore-path` attribute but not both. Users wishing to use a FIPS 140-2 certified provider are limited to the SunPKCS11 provider on RHEL. Non-JKS JCE providers that require an alternative provider with a keystore-path cannot be configured to secure the management interface.

      With the recent FIPS 140-2 certification of pure java open source cryptographic modules, government customers seek to secure EAP on multiple operating systems using FIPS certified JCE providers. These same customers must use common criteria certified software and follow DISA security technical implementation guidelines (http://iase.disa.mil/stigs/app-security/app-servers/Pages/jboss.aspx). Currently, EAP 6 is the only option to meet both of those conditions.

      The attached files incorporate changes to the org.jboss.as.domain.management.security package to enable the use of file-based keystores that rely on alternative JCE providers and that do not use JKS formatted keystores.

      This configuration with the bouncy castle pure java FIPS 140-2 certified provider and the attached software changes enable securing the management interface:

                  ...
            <security-realm name="ManagementRealmHTTPS">
                <server-identities>
                    <ssl protocol="TLS">
                        <engine enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1 TLSv1.1 TLSv1.2"/>
                        <keystore provider="BCFKS" path="vault/vault.bcfks" relative-to="jboss.home.dir" keystore-password="admin1jboss_" alias="jbossweb" key-password="admin1jboss_"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <properties path="https-mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
            ...

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2295 org.jboss.as.domain-management does not permit non-JKS file keystore

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              rlucente-se-jboss Richard Lucente
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: