Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2295

org.jboss.as.domain-management does not permit non-JKS file keystore

XMLWordPrintable

    • Hide

      Attempt to follow section 2.2 of "How to Configure Server Security" for EAP 6 which is referenced from the DISA STIG. It is not possible to do this with a FIPS 140-2 certified JCE provider on any operating system other than RHEL.

      Show
      Attempt to follow section 2.2 of "How to Configure Server Security" for EAP 6 which is referenced from the DISA STIG. It is not possible to do this with a FIPS 140-2 certified JCE provider on any operating system other than RHEL.
    • Hide

      Customers can secure the management interface with a FIPS 140-2 certified provider only on RHEL.

      Show
      Customers can secure the management interface with a FIPS 140-2 certified provider only on RHEL.

      org.jboss.as.domain-management subsystem only enables users to specify either a `provider` attribute or a `keystore-path` attribute but not both. Users wishing to use a FIPS 140-2 certified provider are limited to the SunPKCS11 provider on RHEL. Non-JKS JCE providers that require an alternative provider with a keystore-path cannot be configured to secure the management interface.

      With the recent FIPS 140-2 certification of pure java open source cryptographic modules, government customers seek to secure EAP on multiple operating systems using FIPS certified JCE providers. These same customers must use common criteria certified software and follow DISA security technical implementation guidelines (http://iase.disa.mil/stigs/app-security/app-servers/Pages/jboss.aspx). Currently, EAP 6 is the only option to meet both of those conditions.

      The attached files incorporate changes to the org.jboss.as.domain.management.security package to enable the use of file-based keystores that rely on alternative JCE providers and that do not use JKS formatted keystores.

      This configuration with the bouncy castle pure java FIPS 140-2 certified provider and the attached software changes enable securing the management interface:

                  ...
                  <security-realm name="ManagementRealmHTTPS">
                      <server-identities>
                          <ssl protocol="TLS">
                              <engine enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1 TLSv1.1 TLSv1.2"/>
                              <keystore provider="BCFKS" path="vault/vault.bcfks" relative-to="jboss.home.dir" keystore-password="admin1jboss_" alias="jbossweb" key-password="admin1jboss_"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <properties path="https-mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                  </security-realm>
                  ...
      

            bstansbe@redhat.com Brian Stansberry
            rlucente-se-jboss Richard Lucente
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: