Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5687

PKCS11 FIPS mode with Oracle Java 11

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • None
    • Security
    • None

      How to ensure that WildFly runs in PKCS11 FIPS mode on Oracle Java 11?

      On OpenJDK 11 we can set SunPKCS11 provider with a path to NSS config file, and use the provider created this way to set SunJSSE provider into FIPS mode. For example

      (snippet from JAVA_HOME/conf/security/java.security)

      security.provider.1=SunPKCS11 /home/okotek/test/nss_pkcsll_fips.cfg
      security.provider.2=SUN
      security.provider.3=SunRsaSign
      security.provider.4=SunEC
      security.provider.5=SunJSSE SunPKCS11-testFipsPkcs
      security.provider.6=SunJCE
      security.provider.7=SunJGSS
      security.provider.8=SunSASL
      security.provider.9=XMLDSig
      security.provider.10=SunPCSC
      security.provider.11=JdkLDAP
      security.provider.12=JdkSASL
      

      (/home/okotek/test/nss_pkcsll_fips.cfg)

      name = testFipsPkcs
      nssLibraryDirectory=/usr/lib64
      nssSecmodDirectory=/home/okotek/test/nssdb
      nssDbMode = readWrite
      nssModule = fips
      

      getInfo() for SunJSSE provider results in Sun JSSE provider (FIPS mode, crypto provider SunPKCS11-testPkcs).

      We probably cannot use the same configuration for Oracle Java 11, as the SunPKCS11-testFipsPkcs argument of security.provider.5=SunJSSE is ignored, like it's described in https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8230923, and getInfo() for SunJSSE provider results in Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2). However WildFly works as expected. Using com.sun.net.ssl.internal.ssl.Provider like described in the bug results into the same info string, but WildFly is not able to read trust store keystores.

      The question is what we need to set to run WildFly on Oracle Java 11 in (PKCS11) FIPS mode, and whether/how it is possible to check it.

              dvilkola@redhat.com Diana Krepinska (Inactive)
              okotek@redhat.com Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: