-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
Trying to configure server to run in FIPS mode using subsystem capabilities.
I can't configure throught subsystem same as in java.security file:
java.security
security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg
because if I try to pass configuration file or configuration
/subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], path=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg) /subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], configuration={ \ name=nssModule, value=fips \ name=nssSecmodDirectory, value=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/fipsdb \ name=nssLibraryDirectory, value=/usr/lib64 \ name=name, value=testPkcs \ name=nssDbMode, value=readOnly \ }
I get exception
10:46:28,630 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.providers.fips: org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:185) at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:143) at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:98) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at java.lang.Class.newInstance(Class.java:442) at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:156) ... 7 more 10:46:28,630 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 10) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("provider-loader" => "fips") ]) - failure description: { "WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.fips" => "org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument"}, "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.providers.fips"] }
It occures because loading of providers is in subsystem implemented in 2 steps
- create provider instance (call noargs constructor)
- optionally load configuration
But sun.security.pkcs11.SunPKCS11 can't be created without configuration [1]
- clones
-
JBEAP-8820 Elytron subsystem is unable to configure SunPKCS11 provider
- Closed