Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 3.20.NEXT
Affects Version/s: 3.15-Interstellar.GA, 3.20-Jumanji.GA, 3.15.1.CR2, 3.20.0.CR1, 3.20.2.GA, 3.20.1.GA
Component/s: team/eng
Labels:
- QuarkusQETestSuite

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
QE Test Coverage:
+
Steps to Reproduce:
Hide

Run one of:

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.ts.messaging.infinispan.grpc.kafka/InfinispanKafkaIT/___/

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.ts.messaging.kafka.reactive.streams/SaslSslAlertMonitorIT/testAlertMonitorEventStream/

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/io.quarkus.ts.messaging.kafka.reactive.streams/SaslSslAlertMonitorIT/testAlertMonitorEventStream/

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/io.quarkus.ts.messaging.infinispan.grpc.kafka/InfinispanKafkaSaslSslIT/___/

https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=root-modules/20/testReport/junit/io.quarkus.ts.many.extensions/ManyExtensionsIT/___/
Show
Run one of: https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.ts.messaging.infinispan.grpc.kafka/InfinispanKafkaIT/___/ https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/junit/io.quarkus.ts.messaging.kafka.reactive.streams/SaslSslAlertMonitorIT/testAlertMonitorEventStream/ https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/io.quarkus.ts.messaging.kafka.reactive.streams/SaslSslAlertMonitorIT/testAlertMonitorEventStream/ https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=messaging-modules/16/testReport/io.quarkus.ts.messaging.infinispan.grpc.kafka/InfinispanKafkaSaslSslIT/___/ https://main-jenkins-csb-quarkusqe.apps.ocp-c1.prod.psi.redhat.com/view/rhbq-3.15-extended-platform/job/rhbq-3.15-baremetal-ts-native/jdk=openjdk-21,label=RHEL8_FIPS%20&&%20xlarge%20&&%20docker,scenario=root-modules/20/testReport/junit/io.quarkus.ts.many.extensions/ManyExtensionsIT/___/
[QE] How to address?:
---
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Customers cannot use SSL for communication between Quarkus application and Kafka in FIPS-enabled environment as security provider SASL OAUTHBEARER Client Provider cannot be loaded at runtime (and neither does SCRAM, please see QUARKUS-5232). Red Hat Streams for Kafka documents this security mechanisms for FIPS https://docs.redhat.com/en/documentation/red_hat_streams_for_apache_kafka/2.7/html/using_streams_for_apache_kafka_on_rhel_in_kraft_mode/assembly-securing-kafka-str#assembly-oauth-authentication_str and I think it would be positive if users could use Quarkus in native. However currently, FIPS in native are not supported by RHBQ.

Exception is raised during application startup:

15:05:45,904 INFO  [app] 15:05:43,123 Uncaught exception in thread 'kafka-producer-network-thread | kafka-producer-login-http-response-values':: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: SASL/OAUTHBEARER Client Provider.
15:05:45,904 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
15:05:45,904 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
15:05:45,904 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
15:05:45,904 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.reinitialize(SecuritySubstitutions.java:714)
15:05:45,904 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.getProvider(SecuritySubstitutions.java:665)
15:05:45,904 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:165)
15:05:45,905 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
15:05:45,905 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:159)
15:05:45,905 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:153)
15:05:45,905 INFO  [app]     at java.base@21.0.5/java.util.AbstractList$Itr.next(AbstractList.java:373)
15:05:45,905 INFO  [app]     at java.base@21.0.5/java.util.AbstractCollection.toArray(AbstractCollection.java:204)
15:05:45,905 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.toArray(ProviderList.java:353)
15:05:45,905 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:506)
15:05:45,906 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:665)
15:05:45,906 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:607)
15:05:45,906 INFO  [app]     at java.security.sasl@21.0.5/javax.security.sasl.Sasl.createSaslClient(Sasl.java:423)
15:05:45,906 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslClient$0(SaslClientAuthenticator.java:220)
15:05:45,907 INFO  [app]     at java.base@21.0.5/java.security.AccessController.executePrivileged(AccessController.java:117)
15:05:45,907 INFO  [app]     at java.base@21.0.5/java.security.AccessController.doPrivileged(AccessController.java:714)
15:05:45,907 INFO  [app]     at java.base@21.0.5/javax.security.auth.Subject.doAs(Subject.java:525)
15:05:45,907 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:216)
15:05:45,907 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:207)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:285)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.lambda$buildChannel$1(SaslChannelBuilder.java:228)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.KafkaChannel.<init>(KafkaChannel.java:143)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:237)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:338)
15:05:45,908 INFO  [app]     at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:329)
15:05:45,909 INFO  [app]     at org.apache.kafka.common.network.Selector.connect(Selector.java:256)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:1052)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.NetworkClient.access$700(NetworkClient.java:76)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1230)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1130)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:582)
15:05:45,909 INFO  [app]     at org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:351)
15:05:45,910 INFO  [app]     at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:253)
15:05:45,910 INFO  [app]     at java.base@21.0.5/java.lang.Thread.runWith(Thread.java:1596)
15:05:45,910 INFO  [app]     at java.base@21.0.5/java.lang.Thread.run(Thread.java:1583)
15:05:45,910 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:896)
15:05:45,910 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:872)
15:05:45,911 INFO  [app] 15:05:43,135 SRMSG18258: Kafka producer kafka-producer-slow-topic, connected to Kafka brokers 'localhost:32775', is configured to write records to 'slow'
15:05:45,911 INFO  [app] 15:05:43,136 Uncaught exception in thread 'kafka-producer-network-thread | kafka-producer-slow-topic':: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: SASL/OAUTHBEARER Client Provider.
15:05:45,911 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
15:05:45,911 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
15:05:45,911 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
15:05:45,911 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
15:05:45,911 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:159)
15:05:45,912 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList$3.get(ProviderList.java:153)
15:05:45,912 INFO  [app]     at java.base@21.0.5/java.util.AbstractList$Itr.next(AbstractList.java:373)
15:05:45,912 INFO  [app]     at java.base@21.0.5/java.util.AbstractCollection.toArray(AbstractCollection.java:204)
15:05:45,912 INFO  [app]     at java.base@21.0.5/sun.security.jca.ProviderList.toArray(ProviderList.java:353)
15:05:45,913 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:506)
15:05:45,913 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:665)
15:05:45,913 INFO  [app]     at java.base@21.0.5/java.security.Security.getProviders(Security.java:607)
15:05:45,913 INFO  [app]     at java.security.sasl@21.0.5/javax.security.sasl.Sasl.createSaslClient(Sasl.java:423)
15:05:45,913 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.lambda$createSaslClient$0(SaslClientAuthenticator.java:220)
15:05:45,913 INFO  [app]     at java.base@21.0.5/java.security.AccessController.executePrivileged(AccessController.java:117)
15:05:45,913 INFO  [app]     at java.base@21.0.5/java.security.AccessController.doPrivileged(AccessController.java:714)
15:05:45,914 INFO  [app]     at java.base@21.0.5/javax.security.auth.Subject.doAs(Subject.java:525)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:216)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.<init>(SaslClientAuthenticator.java:207)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildClientAuthenticator(SaslChannelBuilder.java:285)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.lambda$buildChannel$1(SaslChannelBuilder.java:228)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.network.KafkaChannel.<init>(KafkaChannel.java:143)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:237)
15:05:45,914 INFO  [app]     at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:338)
15:05:45,915 INFO  [app]     at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:329)
15:05:45,915 INFO  [app]     at org.apache.kafka.common.network.Selector.connect(Selector.java:256)
15:05:45,915 INFO  [app]     at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:1052)
15:05:45,915 INFO  [app]     at org.apache.kafka.clients.NetworkClient.access$700(NetworkClient.java:76)
15:05:45,915 INFO  [app]     at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1230)
15:05:45,916 INFO  [app]     at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1130)
15:05:45,916 INFO  [app]     at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:582)
15:05:45,916 INFO  [app]     at org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:351)
15:05:45,916 INFO  [app]     at org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:253)
15:05:45,916 INFO  [app]     at java.base@21.0.5/java.lang.Thread.runWith(Thread.java:1596)
15:05:45,916 INFO  [app]     at java.base@21.0.5/java.lang.Thread.run(Thread.java:1583)
15:05:45,916 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:896)
15:05:45,916 INFO  [app]     at org.graalvm.nativeimage.builder/com.oracle.svm.core.thread.PlatformThreads.threadStartRoutine(PlatformThreads.java:872)

And elytron seems to be affected as well:

12:27:37,635 INFO  [app] Caused by: com.oracle.svm.core.jdk.UnsupportedFeatureError: Cannot load new security provider at runtime: SASL/OAUTHBEARER Client Provider.
12:27:37,635 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.util.VMError.unsupportedFeature(VMError.java:121)
12:27:37,635 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:645)
12:27:37,635 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:225)
12:27:37,635 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.reinitialize(SecuritySubstitutions.java:714)
12:27:37,635 INFO  [app] 	at org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.SunPKCS11ProviderAccessors.getProvider(SecuritySubstitutions.java:665)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:165)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderList.getProvider(ProviderList.java:271)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderList.getIndex(ProviderList.java:301)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:285)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/sun.security.jca.ProviderList.getProvider(ProviderList.java:291)
12:27:37,636 INFO  [app] 	at java.base@21.0.5/java.security.Security.getProvider(Security.java:522)
12:27:37,637 INFO  [app] 	at io.quarkus.elytron.security.common.runtime.ElytronCommonRecorder.registerPasswordProvider(ElytronCommonRecorder.java:20)
12:27:37,637 INFO  [app] 	at io.quarkus.deployment.steps.QuarkusSecurityCommonProcessor$registerPasswordProviderForNative1078184333.deploy_0(Unknown Source)
12:27:37,637 INFO  [app] 	at io.quarkus.deployment.steps.QuarkusSecurityCommonProcessor$registerPasswordProviderForNative1078184333.deploy(Unknown Source)
12:27:37,637 INFO  [app] 	... 7 more

blocks

QUARKUS-2036 Support Infinispan client extension in FIPS-enabled environment

Dev Complete

QUARKUS-4612 Infinispan client extension doesn’t work on FIPS and Native Mandrel 23.0 and 23.1

Dev Complete

links to

RHBA-2025:154853 [23.1] Updated Quarkus native builder image container (OpenJDK October 2025 CPU)

Assignee:: Severin Gehwolf

Reporter:: Michal Vavrik

Tester:: Michal Vavrik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/10/25 12:23 PM

Updated:: 2025/10/16 4:54 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide