Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 3.NEXT
Affects Version/s: 3.15-Interstellar.GA, 3.20-Jumanji.GA, 3.15.1.CR2
Component/s: team/eng
Labels:
- QuarkusQETestSuite

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
QE Test Coverage:
+
Steps to Reproduce:
Hide

Run one of:

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.qe.messaging.ssl/KafkaSaslSslIT/testKafkaClientSaslSsl/

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.qe.messaging.ssl/KafkaSaslSslTlsRegistryIT/testKafkaClientSaslSsl/
Show
Run one of: https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.qe.messaging.ssl/KafkaSaslSslIT/testKafkaClientSaslSsl/ https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.qe.messaging.ssl/KafkaSaslSslTlsRegistryIT/testKafkaClientSaslSsl/
[QE] How to address?:
---
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Customers cannot use SASL SSL for communication between Quarkus application and Kafka in FIPS-enabled environment as security provider SASL/SCRAM Client Provider cannot be loaded at runtime. Red Hat Streams for Kafka documents this security mechanisms for FIPS https://docs.redhat.com/en/documentation/red_hat_streams_for_apache_kafka/2.7/html/using_streams_for_apache_kafka_on_rhel_in_kraft_mode/assembly-securing-kafka-str#proc-kafka-enable-scram-authentication-str and I think it would be positive if users could use Quarkus in native. However currently, FIPS in native are not supported by RHBQ.

Application fails to start with following exception:

15:37:20,459 INFO  [app] Exception in thread "Thread-5" com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: SASL/SCRAM Client Provider.
15:37:20,459 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
15:37:20,459 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.reinitialize(SecuritySubstitutions.java:714)
15:37:20,459 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.getProvider(SecuritySubstitutions.java:665)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:165)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:159)
15:37:20,459 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:153)
15:37:20,459 INFO  [app]     at java.base@21.0.5/java.util.AbstractList$Itr.next(AbstractList.java:373)
15:37:20,459 INFO  [app]     at java.base@21.0.5/java.util.AbstractCollection.toArray(AbstractCollection.java:204)
15:37:20,460 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.toArray(ProviderList.java:353)
15:37:20,460 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:506)
15:37:20,460 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:665)
15:37:20,460 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:607)
15:37:20,460 INFO  [app]     at java.security.sasl@21.0.5/javax.security.sasl.Sasl.createSaslClient(Sasl.java:423)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslClient$0(SaslClientAuthenticator.java:220)
15:37:20,460 INFO  [app]     at java.base@21.0.5/java.security.AccessController.executePrivileged(AccessController.java:117)
15:37:20,460 INFO  [app]     at java.base@21.0.5/java.security.AccessController.doPrivileged(AccessController.java:714)
15:37:20,460 INFO  [app]     at java.base@21.0.5/javax.security.auth.Subject.doAs(Subject.java:525)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:216)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:207)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:285)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.lambda$buildChannel$1(SaslChannelBuilder.java:228)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.network.KafkaChannel.<init>(KafkaChannel.java:143)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:237)
15:37:20,460 INFO  [app]     at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:338)
15:37:20,461 INFO  [app]     at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:329)
15:37:20,461 INFO  [app]     at org.apache.kafka.common.network.Selector.connect(Selector.java:256)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:1052)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.NetworkClient.ready(NetworkClient.java:310)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.trySend(ConsumerNetworkClient.java:514)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:271)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:231)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:289)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:263)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:446)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:478)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.updateAssignmentMetadataIfNeeded(LegacyKafkaConsumer.java:651)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:610)
15:37:20,461 INFO  [app]     at org.apache.kafka.clients.consumer.internals.LegacyKafkaConsumer.poll(LegacyKafkaConsumer.java:590)
15:37:20,462 INFO  [app]     at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:874)
15:37:20,462 INFO  [app]     at org.apache.kafka.clients.consumer.SaslSslKafkaProvider_ProducerMethod_getSaslSslConsumer_FWApNqIAQ5yu7DbDZVGwednzTLE_ClientProxy.poll(Unknown Source)
15:37:20,462 INFO  [app]     at io.quarkus.qe.messaging.ssl.quickstart.KafkaEndpoint.lambda$initialize$1(KafkaEndpoint.java:29)
15:37:20,462 INFO  [app]     at java.base@21.0.5/java.lang.Thread.runWith(Thread.java:1596)
15:37:20,462 INFO  [app]     at java.base@21.0.5/java.lang.Thread.run(Thread.java:1583)
15:37:20,462 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:896)
15:37:20,462 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:872)

Assignee:: Sergey Beryozkin

Reporter:: Michal Vavrik

Tester:: Michal Vavrik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/10/25 12:15 PM

Updated:: 2025/05/01 10:20 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide