Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1437

Using JKS truststore leads to "FIPS mode: only SunJSSE TrustManagers may be used"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 2.1.0.Final
    • 2.1.0.CR1
    • Management, Security
    • None
    • Hide

      1.
      Run SSLMasterSlaveOneWayTestCase in AS TS with system property jboss.test.host.slave.jvmhome and jboss.test.host.slave.controller.jvmhome pointing to fips java.

      [mchoma@localhost domain]$ pwd
/home/mchoma/workspace/git-repositories/wildfly-core-eap/testsuite/domain
[mchoma@localhost domain]$ mvn test -Dtest=SSLMasterSlaveOneWayTestCase -DtestLogToFile=false -Djboss.test.host.slave.jvmhome=$JAVA_HOME_FIPS -Djboss.test.host.slave.controller.jvmhome=$JAVA_HOME_FIPS

      2.
      Leads to startup error java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used.

      Show
      1. Run SSLMasterSlaveOneWayTestCase in AS TS with system property jboss.test.host.slave.jvmhome and jboss.test.host.slave.controller.jvmhome pointing to fips java. [mchoma@localhost domain]$ pwd /home/mchoma/workspace/git-repositories/wildfly-core-eap/testsuite/domain [mchoma@localhost domain]$ mvn test -Dtest=SSLMasterSlaveOneWayTestCase -DtestLogToFile= false -Djboss.test.host.slave.jvmhome=$JAVA_HOME_FIPS -Djboss.test.host.slave.controller.jvmhome=$JAVA_HOME_FIPS 2. Leads to startup error java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used.

      User can't start domain in FIPS mode when JKS truststore is used in master <-> slave host controllers communication. (Using PKCS11 keystore works well)

      [Host Controller] ^[[0m^[[31m15:52:23,822 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.server.controller.management.security_realm.SlaveManagementRealm.ssl-context-trust-only: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.SlaveManagementRealm.ssl-context-trust-only: WFLYDM0018: Unable to start service^[[0m
[Host Controller] ^[[31m        at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:124)^[[0m
[Host Controller] ^[[31m        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)^[[0m
[Host Controller] ^[[31m        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)^[[0m
[Host Controller] ^[[31m        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)^[[0m
[Host Controller] ^[[31m        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)^[[0m
[Host Controller] ^[[31m        at java.lang.Thread.run(Thread.java:745)^[[0m
[Host Controller] ^[[31mCaused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used^[[0m
[Host Controller] ^[[31m        at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:124)^[[0m
[Host Controller] ^[[31m        at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:87)^[[0m
[Host Controller] ^[[31m        at javax.net.ssl.SSLContext.init(SSLContext.java:282)^[[0m
[Host Controller] ^[[31m        at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:87)^[[0m
[Host Controller] ^[[31m        ... 5 more^[[0m
[Hos

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: