When trying to connect with CLI to server using PKCS11 (and FIPS):

• CLI can connect with the old workaround described in 7.0 documentation

  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
  

• When providing -Dwildfly.config.url, no matter what's in the path (even if it's non-existent file), CLI throws following error:

  java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used: FIPS mode: only SunJSSE TrustManagers may be used
  

• If I set up BOTH the JAVA_OPTS and wildfly-config.xml, the config is parsed properly (throwing errors in case of wrong path, malformed xml etc.) and CLI connects successfully.

I'm marking it as a blocker now, since this is basically the functionality required by EAP7-610. But the old workaround still works just fine, so I think this isn't high priority if we're ok to postpone the RFE.