Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3799

FIPS mode is not detected correctly on JDK 8

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 5.0.0.Beta1
    • 5.0.0.Alpha4
    • Security
    • None

      Trying SSL in FIPS mode I get "KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used" 

      17:45:32,678 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.ssl-context.server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.server-ssl-context: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
	at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
	at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924)
	... 9 more

17:45:32,686 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("server-ssl-context" => "server-ssl-context")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.server-ssl-context" => "java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
    Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used"}}

      https://github.com/wildfly/wildfly-core/blob/02e2de734c68e23e0bae81fc12d71947a00805be/elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java#L1085

      Debugging revealed problem is in this call

      SSLDefinitions.java
      final Class<?> providerClazz = SSLDefinitions.class.getClassLoader().loadClass("com.sun.net.ssl.internal.ssl.Provider");

      which ends with ClassNotFoundException

      java.lang.ClassNotFoundException: com.sun.net.ssl.internal.ssl.Provider from [Module "org.wildfly.extension.elytron" version 5.0.0.Alpha-redhat-20180502 from local module loader @41ee392b (finder: local module finder @1e67a849 (roots: /home/mchoma/Repos/tests-security/fips/target/dist/jboss-eap/modules,/home/mchoma/Repos/tests-security/fips/target/dist/jboss-eap/modules/system/layers/base))]

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: