-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-8.5.0
-
None
-
Critical
-
rhel-sst-java
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
x86_64
-
None
-
57,005
Description of problem:
Adding a custom certificate (.pem) file to a keystore with FIPS enabled fails with a PKCS11Exception (CKR_SESSION_READ_ONLY).
Here is the command we used:
keytool -import -file $filename -alias ${name} -keystore /etc/pki/java/cacerts -storepass XXXXXXXXXX -noprompt -v
Here is the error we get:
keytool error: java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
java.security.KeyStoreException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1048)
at sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:514)
at java.security.KeyStore.setCertificateEntry(KeyStore.java:1201)
at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2885)
at sun.security.tools.keytool.Main.doCommands(Main.java:1063)
at sun.security.tools.keytool.Main.run(Main.java:377)
at sun.security.tools.keytool.Main.main(Main.java:370)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_SESSION_READ_ONLY
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.wrapper.PKCS11$FIPSPKCS11.C_CreateObject(PKCS11.java:1946)
at sun.security.pkcs11.P11KeyStore.storeCert(P11KeyStore.java:1566)
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1044)
Version-Release number of selected component (if applicable):
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
- external trackers
