Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5558

Wildlfy app not starting: cause: ApplicationRealm is not getting intailized throwing : FIPS mode: only SunJSSE TrustManagers may be used

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • 17.0.0.Beta5
    • None
    • Security
    • None
    • 3
    • Hide
      1. Creata a web application war module
      2. Create keystore/truststore as shown below keytool -genkey -alias wildflywebapp -keyalg rsa -sigalg SHA256withRSA -keysize 2048 -dname CN=<your hostname> -keystore wildflywebapp.keystore -keypass wildflywebapp@01 -storepass wildflywebapp@01 -storetype PKCS12

      <JRE HOME>/bin/keytool -export -alias wildflywebapp -file wildflywebapp.cer -keystore wildflywebapp.keystore -storepass wildflywebapp@01 -storetype PKCS12

      <JRE HOME>/jre/bin/keytool -import -alias wildflywebapp -file wildflywebapp.cer -noprompt -keystore wildflywebapp.truststore -storepass wildflywebapp@01 -storetype PKCS12

      1. configure standalone-full.xml as shown below
      2. <management>
        <security-realm name="ApplicationRealm">
        <server-identities>
        <ssl protocol="TLSv1.2">
        <keystore path="wildflywebapp.keystore" relative-to="jboss.server.config.dir" keystore-password="wildflywebapp@01" provider="PKCS12"/>
        </ssl>
        </server-identities>
        <authentication>
        <truststore path="wildflywebapp.truststore" relative-to="jboss.server.config.dir" keystore-password="wildflywebapp@01" provider="PKCS12"/>
        <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        <authorization>
        <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
        </authorization>
        </security-realm>
        </security-realms>
      3. Download bc-fips.jar and copy to JRE/lib/ext dir form https://mvnrepository.com/artifact/org.bouncycastle/bc-fips/1.0.1
      4. Create a java.security file with below contents# /dev/urandom is required for performance on Linux
        securerandom.source=file:/dev/./urandom
        java.security.egd=file:/dev/urandom
        crypto.policy=unlimited
      1. The list of providers required.
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
        security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
        security.provider.3=sun.security.provider.Sun
        security.provider.4=com.sun.crypto.provider.SunJCE
        security.provider.5=sun.security.jgss.SunProvider
        security.provider.6=com.sun.security.sasl.Provider
        security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
        security.provider.8=sun.security.smartcardio.SunPCSC
        security.provider.9=com.sun.crypto.provider.SunJCE
        security.provider.10=com.sun.crypto.provider.SunJCE
        #security.provider.11=com.sun.net.ssl.internal.ssl.Provider
      1. <WILDFLY_HOME>/standalone/deployments folder

      and start wildlfy  with the following command 
      <Wildfly HOME>/bin/standalone.sh -b 0.0.0.0 -bmanagement=0.0.0.0 -c standalone-full.xml -D java.security

      1. application did not start observer below error in log 
      2. 2021/08/18 02:14:18 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0013: Started FileSystemDeploymentService for directory /opt/NA/server/ext/appserver/standalone/deployments
        2021/08/18 02:14:18 ERROR [org.jboss.msc.service.fail] MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
        at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:118) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
        at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
        at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_292]
        Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
        at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:132) [jsse.jar:1.8.0_292]
        at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:94) [jsse.jar:1.8.0_292]
        at javax.net.ssl.SSLContext.init(SSLContext.java:282) [rt.jar:1.8.0_292]
        at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:109) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final]
        ... 8 more
      3. As per SSLContextIMPl implementation when FIPS is enabled
        https://github.com/bpupadhyaya/openjdk-8/blob/master/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
        # FIPS SSLSocketImpl says u can't override trustmanagers as TLS security lies on having certificate outgoing communication form (Wildfly app)  -> any server  so Wildfly app can understand its commuincation right server over TLS
      4. But we are trying to override  SSLContext Trustmanager Implemntaiton which is not allowed when FIPS is enabled at SSL PRovider level 
        https://github.com/wildfly/wildfly-core/blob/main/domain-management/src/main/java/org/jboss/as/domain/management/security/SSLContextService.java}}{{
      Show
      Creata a web application war module Create keystore/truststore as shown below keytool -genkey -alias wildflywebapp -keyalg rsa -sigalg SHA256withRSA -keysize 2048 -dname CN=<your hostname> -keystore wildflywebapp.keystore -keypass wildflywebapp@01 -storepass wildflywebapp@01 -storetype PKCS12 <JRE HOME>/bin/keytool -export -alias wildflywebapp -file wildflywebapp.cer -keystore wildflywebapp.keystore -storepass wildflywebapp@01 -storetype PKCS12 <JRE HOME>/jre/bin/keytool -import -alias wildflywebapp -file wildflywebapp.cer -noprompt -keystore wildflywebapp.truststore -storepass wildflywebapp@01 -storetype PKCS12 configure standalone-full.xml as shown below <management> <security-realm name="ApplicationRealm"> <server-identities> <ssl protocol="TLSv1.2"> <keystore path="wildflywebapp.keystore" relative-to="jboss.server.config.dir" keystore-password="wildflywebapp@01" provider="PKCS12"/> </ssl> </server-identities> <authentication> <truststore path="wildflywebapp.truststore" relative-to="jboss.server.config.dir" keystore-password="wildflywebapp@01" provider="PKCS12"/> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> </security-realms> Download bc-fips.jar and copy to JRE/lib/ext dir form  https://mvnrepository.com/artifact/org.bouncycastle/bc-fips/1.0.1 Create a java.security file with below contents# /dev/urandom is required for performance on Linux securerandom.source= file:/dev/./urandom java.security.egd= file:/dev/urandom crypto.policy=unlimited The list of providers required. security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS security.provider.3=sun.security.provider.Sun security.provider.4=com.sun.crypto.provider.SunJCE security.provider.5=sun.security.jgss.SunProvider security.provider.6=com.sun.security.sasl.Provider security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.8=sun.security.smartcardio.SunPCSC security.provider.9=com.sun.crypto.provider.SunJCE security.provider.10=com.sun.crypto.provider.SunJCE #security.provider.11=com.sun.net.ssl.internal.ssl.Provider <WILDFLY_HOME>/standalone/deployments folder and start wildlfy  with the following command  <Wildfly HOME>/bin/standalone.sh -b 0.0.0.0 -bmanagement=0.0.0.0 -c standalone-full.xml -D java.security application did not start observer below error in log  2021/08/18 02:14:18 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0013: Started FileSystemDeploymentService for directory /opt/NA/server/ext/appserver/standalone/deployments 2021/08/18 02:14:18 ERROR [org.jboss.msc.service.fail] MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:118) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) [jboss-msc-1.4.12.Final.jar:1.4.12.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) [jboss-msc-1.4.12.Final.jar:1.4.12.Final] at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) [jboss-msc-1.4.12.Final.jar:1.4.12.Final] at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363) at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_292] Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:132) [jsse.jar:1.8.0_292] at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:94) [jsse.jar:1.8.0_292] at javax.net.ssl.SSLContext.init(SSLContext.java:282) [rt.jar:1.8.0_292] at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:109) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final] ... 8 more As per SSLContextIMPl implementation when FIPS is enabled https: //github .com /bpupadhyaya/openjdk-8/blob/master/jdk/src/share/classes/sun/security/ssl/SSLContextImpl .java # FIPS SSLSocketImpl says u can't override trustmanagers as TLS security lies on having certificate outgoing communication form (Wildfly app)  -> any server  so Wildfly app can understand its commuincation right server over TLS But we are trying to override  SSLContext Trustmanager Implemntaiton which is not allowed when FIPS is enabled at SSL PRovider level  https://github.com/wildfly/wildfly-core/blob/main/domain-management/src/main/java/org/jboss/as/domain/management/security/SSLContextService.java }}{{
    • undefined

      2021/08/18 02:14:18 INFO [org.jboss.as.server.deployment.scanner] WFLYDS0013: Started FileSystemDeploymentService for directory /opt/NA/server/ext/appserver/standalone/deployments
      2021/08/18 02:14:18 ERROR [org.jboss.msc.service.fail] MSC000001: Failed to start service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ApplicationRealm.ssl-context: WFLYDM0018: Unable to start service
      at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:118) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final]
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
      at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
      at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) [jboss-msc-1.4.12.Final.jar:1.4.12.Final]
      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
      at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_292]
      Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
      at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:132) [jsse.jar:1.8.0_292]
      at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:94) [jsse.jar:1.8.0_292]
      at javax.net.ssl.SSLContext.init(SSLContext.java:282) [rt.jar:1.8.0_292]
      at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:109) [wildfly-domain-management-16.0.0.Final.jar:16.0.0.Final]
      ... 8 more

              darran.lofthouse@redhat.com Darran Lofthouse
              akash551 Akash Gupta (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: