Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-2984

Failure in native using jdbc-mssql and reactive-mssql-client on RHEL8 + FIPS

XMLWordPrintable

    • False
    • None
    • False
    • Hide

      Only on FIPS enabled machine.

      git@github.com:quarkus-qe/quarkus-test-suite.git
cd ./quarkus-test-suite
git checkout 2.7

mvn clean verify -f sql-db/sql-app -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3 -DexcludedGroups=fips-incompatible -Dit.test=MssqlDatabaseIT -Dquarkus.platform.version=2.7.0.Final

mvn clean verify -f sql-db/sql-app -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3 -DexcludedGroups=fips-incompatible -Dmaven.repo.local=$RHBQ_REPO -Dquarkus.platform.group-id=com.redhat.quarkus.platform -Dquarkus.platform.artifact-id=quarkus-bom -Dquarkus.platform.version=2.7.7.Final-redhat-00004 -Dquarkus-plugin.version=2.7.7.Final-redhat-00004 -Dit.test=MssqlDatabaseIT

      Or alternatively e.g.

      ... -f sql-db/hibernate-reactive -Dit.test=MsSQLDatabaseHibernateReactiveIT

      for reactive-mssql-client.

      Show
      Only on FIPS enabled machine. git@github.com:quarkus-qe/quarkus-test-suite.git cd ./quarkus-test-suite git checkout 2.7 mvn clean verify -f sql-db/sql-app -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3 -DexcludedGroups=fips-incompatible -Dit.test=MssqlDatabaseIT -Dquarkus.platform.version=2.7.0.Final mvn clean verify -f sql-db/sql-app -Dnative -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3 -DexcludedGroups=fips-incompatible -Dmaven.repo. local =$RHBQ_REPO -Dquarkus.platform.group-id=com.redhat.quarkus.platform -Dquarkus.platform.artifact-id=quarkus-bom -Dquarkus.platform.version=2.7.7.Final-redhat-00004 -Dquarkus-plugin.version=2.7.7.Final-redhat-00004 -Dit.test=MssqlDatabaseIT Or alternatively e.g. ... -f sql-db/hibernate-reactive -Dit.test=MsSQLDatabaseHibernateReactiveIT for reactive-mssql-client .
    • ---

      Native application running on FIPS-enabled machine fails on JDBC connection / SQL statement execution when using jdbc-mssql / reactive-mssql-client.

      10:08:02,482 INFO  [app] 10:07:59,538 HHH000342: Could not obtain connection to query metadata: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "FIPS mode: only SunJSSE TrustManagers may be used". ClientConnectionId:45830b39-c772-486f-a430-f2f45eddb535
10:08:02,483 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2892)
10:08:02,484 INFO  [app] 	at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1881)
10:08:02,484 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2452)
10:08:02,485 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2103)
10:08:02,486 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1950)
10:08:02,486 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1162)
10:08:02,487 INFO  [app] 	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:735)
10:08:02,487 INFO  [app] 	at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:210)
10:08:02,488 INFO  [app] 	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:513)
10:08:02,488 INFO  [app] 	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:494)
10:08:02,489 INFO  [app] 	at java.util.concurrent.FutureTask.run(FutureTask.java:264)
10:08:02,489 INFO  [app] 	at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:75)
10:08:02,490 INFO  [app] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126)
10:08:02,490 INFO  [app] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
10:08:02,490 INFO  [app] 	at java.lang.Thread.run(Thread.java:829)
10:08:02,491 INFO  [app] 	at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:600)
10:08:02,491 INFO  [app] 	at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:192)
10:08:02,492 INFO  [app] Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
10:08:02,492 INFO  [app] 	at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:133)
10:08:02,493 INFO  [app] 	at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:95)
10:08:02,493 INFO  [app] 	at javax.net.ssl.SSLContext.init(SSLContext.java:297)
10:08:02,494 INFO  [app] 	at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1780)
10:08:02,494 INFO  [app] 	... 15 more

      The application needs to be build using product builder image (community one does not support FIPS). Reproduced with:

      • registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3
      • registry.access.redhat.com/quarkus/mandrel-21-rhel8:21.3-40

      Fails on:

      • RHBQ 2.7.7.CR2
      • 2.7.0.Final+

              paul.robinson@redhat.com Paul Robinson
              rhn-support-jsmrcka Josef Smrcka (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: