-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
None
-
None
How to ensure that WildFly runs in PKCS11 FIPS mode on Oracle Java 11?
On OpenJDK 11 we can set SunPKCS11 provider with a path to NSS config file, and use the provider created this way to set SunJSSE provider into FIPS mode. For example
(snippet from JAVA_HOME/conf/security/java.security)
security.provider.1=SunPKCS11 /home/okotek/test/nss_pkcsll_fips.cfg security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE SunPKCS11-testFipsPkcs security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL
(/home/okotek/test/nss_pkcsll_fips.cfg)
name = testFipsPkcs nssLibraryDirectory=/usr/lib64 nssSecmodDirectory=/home/okotek/test/nssdb nssDbMode = readWrite nssModule = fips
getInfo() for SunJSSE provider results in Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-testPkcs).
We probably cannot use the same configuration for Oracle Java 11, as the SunPKCS11-testFipsPkcs argument of security.provider.5=SunJSSE is ignored, like it's described in https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8230923, and getInfo() for SunJSSE provider results in Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2). However WildFly works as expected. Using com.sun.net.ssl.internal.ssl.Provider like described in the bug results into the same info string, but WildFly is not able to read trust store keystores.
The question is what we need to set to run WildFly on Oracle Java 11 in (PKCS11) FIPS mode, and whether/how it is possible to check it.
- relates to
-
WFCORE-5566 Fix FIPS detection so that it also works with Java 17
- Closed