Loading...

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 3.0.0.Beta5
Affects Version/s: None
Component/s: Security
Labels:
None

Steps to Reproduce:
Hide

Configure the JVM in FIPS mode

Configure default client ssl context

/subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+}) /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store) /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1]) /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}]) /:reload

Create a remote JMX connection within a deployed application:
JmxClientServlet.java

@Override public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{ try { Map<String,String> environment = new HashMap<String,String>(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnectorFactory.connect(url, environment); print(response, "OK"); } catch( Exception e ) { print(response, "FAIL "+e); System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); } }
Show
Configure the JVM in FIPS mode Configure default client ssl context /subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+}) /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store) /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1]) /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}]) /:reload Create a remote JMX connection within a deployed application: JmxClientServlet.java @Override public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{ try { Map< String , String > environment = new HashMap< String , String >(); environment.put( "jmx.remote.protocol.provider.pkgs" , "org.jboss.remotingjmx" ); JMXServiceURL url = new JMXServiceURL( "service:jmx:remoting-jmx: //localhost:9999" ); JMXConnectorFactory.connect(url, environment); print(response, "OK" ); } catch ( Exception e ) { print(response, "FAIL " +e); System .out.println( "*** Error:" +e.getMessage()); e.printStackTrace(); } }
Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1335299

Description

The JMX client fails to work when the JVM is running in FIPS mode.
There should be possible to configure client ssl context with Elytron. However doing so, still javax.net.ssl.SSLContext.getDefault() is called which fails with the following stacktrace:

server.log

10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Completed open of endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 1 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote': Remoting remote connection provider 42a0d0b7 for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 2 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+tls)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+tls': Remoting remote connection provider 7dc22d9b for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 3 of endpoint "endpoint" <67ce59be> (opened Connection provider for remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remoting': Remoting remote connection provider 194d9579 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 4 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+http)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+http': Remoting remote connection provider 21f0cb0a for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 5 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+https)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+https': Remoting remote connection provider 27b862 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 6 of endpoint "endpoint" <67ce59be> (opened Connection provider for http-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'http-remoting': Remoting remote connection provider 422cda30 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 7 of endpoint "endpoint" <67ce59be> (opened Connection provider for https-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'https-remoting': Remoting remote connection provider 55cb3d77 for endpoint "endpoint" <67ce59be>
10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,764 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,765 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,772 INFO  [stdout] (default task-1) *** Error:JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) java.io.IOException: JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:487)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:241)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:158)
10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:105)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
10:55:00,773 ERROR [stderr] (default task-1) 	at com.redhat.eap.qe.fips.standalone.elytron.client.jmx.JmxClientServlet.doGet(JmxClientServlet.java:33)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
10:55:00,773 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.lang.Thread.run(Thread.java:745)
10:55:00,776 ERROR [stderr] (default task-1) Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
10:55:00,776 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1617)
10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
10:55:00,777 ERROR [stderr] (default task-1) 	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:183)
10:55:00,777 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:495)
10:55:00,777 ERROR [stderr] (default task-1) 	... 46 more
10:55:00,777 ERROR [stderr] (default task-1) Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
10:55:00,778 ERROR [stderr] (default task-1) 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
10:55:00,778 ERROR [stderr] (default task-1) 	at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
10:55:00,778 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1595)
10:55:00,778 ERROR [stderr] (default task-1) 	... 52 more

Attachments

Issue Links

clones

JBEAP-10873 Elytron, JMX client fails to work when the JVM is running in FIPS mode

Verified

is cloned by

REMJMX-144 Elytron, JMX client fails to work when the JVM is running in FIPS mode

Resolved

Elytron, JMX client fails to work when the JVM is running in FIPS mode

Details

Description

Attachments

Issue Links

Activity

People

Dates