-
Bug
-
Resolution: Unresolved
-
Major
-
2.7.5.ER1, 2.7.5.ER2, 2.7.5.ER3
Infinispan: 12.1 / 14
Quarkus: 2.7.5.Final
Java 11 / 17
Seems that bouncy castle lib is not supported until Infinispan 14.0. But If I move on to infinispan 14 and configure Quarkus in order to use BCFIPSJSSE then I got the following error:
13:51:46,057 INFO [app] Caused by: java.security.KeyStoreException: BCFKS not found 13:51:46,057 INFO [app] at java.base/java.security.KeyStore.getInstance(KeyStore.java:871) 13:51:46,057 INFO [app] at org.infinispan.commons.util.SslContextFactory.getTrustManagerFactory(SslContextFactory.java:172) 13:51:46,057 INFO [app] at org.infinispan.client.hotrod.impl.transport.netty.ChannelInitializer.initSsl(ChannelInitializer.java:154) 13:51:46,057 INFO [app] ... 20 more 13:51:46,057 INFO [app] Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available 13:51:46,057 INFO [app] at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159) 13:51:46,057 INFO [app] at java.base/java.security.Security.getImpl(Security.java:701) 13:51:46,057 INFO [app] at java.base/java.security.KeyStore.getInstance(KeyStore.java:868){{}}
My infisnispan configuration looks like the following one:
# Infinispan quarkus.infinispan-client.trust-store=src/main/resources/server.jks quarkus.infinispan-client.trust-store-password=password quarkus.infinispan-client.trust-store-type=BCFKS quarkus.infinispan-client.server-list=localhost:11222 quarkus.infinispan-client.use-auth=true
In my opinion, I am missing some configurations that we already have in orders modules, something like quarkus.infinispan-client.trust-store-provider=BCFIPS
Reproducer
git clone git@github.com:quarkus-qe/quarkus-test-suite.git git checkout feat/infisnipan_fips_reproducer
Scenario
mvn clean verify -Dall-modules -pl messaging/infinispan-grpc-kafka -Dit.test=InfinispanKafkaIT
I am not sure if BCFIPS is supported and if does then, I am not sure how to use it. Should I add quarkus-security extension ?, and If I am able to set BCFIPS as a provider I understand that then later I will not need any JVM security custom configuration, isn't it? (on quarkus.http.ssl is not need it)
- depends on
-
ISPN-13737 Ensure Infinispan installs and runs in a FIPS enabled system
- Closed
-
ISPN-14103 Configure key/trust store provider in client
- Closed
- is blocked by
-
ISPN-14103 Configure key/trust store provider in client
- Closed
- is related to
-
CEQ-4690 Infinispan extension fails in Native on RHEL with FIPS - javax.security.sasl.SaslException: ELY05051: Callback handler does not support credential acquisition
- Closed
- links to