Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2383

Elytron subsystem is unable to configure SunPKCS11 provider

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta11
    • None
    • Security
    • None

      Trying to configure server to run in FIPS mode using subsystem capabilities.

      I can't configure throught subsystem same as in java.security file:

      java.security
      security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg
      

      because if I try to pass configuration file or configuration

      /subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], path=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg)
      
      /subsystem=elytron/provider-loader=fips:add(class-names=[sun.security.pkcs11.SunPKCS11], configuration={ \
      	name=nssModule, value=fips \
      	name=nssSecmodDirectory, value=/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/fipsdb \
      	name=nssLibraryDirectory, value=/usr/lib64 \
      	name=name, value=testPkcs \
      	name=nssDbMode, value=readOnly \
      }
      

      I get exception

      10:46:28,630 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.providers.fips: org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument
      	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:185)
      	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:143)
      	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument
      	at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:98)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      	at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
      	at java.lang.Class.newInstance(Class.java:442)
      	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:156)
      	... 7 more
      
      10:46:28,630 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 10) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("provider-loader" => "fips")
      ]) - failure description: {
          "WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.fips" => "org.jboss.msc.service.StartException in service org.wildfly.security.providers.fips: java.security.ProviderException: SunPKCS11 requires configuration file argument
          Caused by: java.security.ProviderException: SunPKCS11 requires configuration file argument"},
          "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.providers.fips"]
      }
      

      It occures because loading of providers is in subsystem implemented in 2 steps

      • create provider instance (call noargs constructor)
      • optionally load configuration

      But sun.security.pkcs11.SunPKCS11 can't be created without configuration [1]

      [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/pkcs11/SunPKCS11.java#98

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: