Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-10882

FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used

    XMLWordPrintable

Details

    • Hide
      • ./standalone.sh
      • run CLI with FIPS PKCS11 java
        ./jboss-cli.sh \
            -c \
            -Dwildfly.config.url=file:///from/attachment/cli-test-wildfly-config.xml \
            --connect \
            :read-attribute\(name=server-state\)
        
      Show
      ./standalone.sh run CLI with FIPS PKCS11 java ./jboss-cli.sh \ -c \ -Dwildfly.config.url=file: ///from/attachment/cli-test-wildfly-config.xml \ --connect \ :read-attribute\(name=server-state\)

    Description

      Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception

      14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
              at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
              at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
              at org.jboss.modules.Module.run(Module.java:352)
              at org.jboss.modules.Module.run(Module.java:320)
              at org.jboss.modules.Main.main(Main.java:593)
      Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
              at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
              ... 5 more
      Caused by: java.io.IOException: Failed to obtain SSLContext
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
              at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
              at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
              ... 8 more
      Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
              at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
              at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
              at javax.net.ssl.SSLContext.init(SSLContext.java:282)
              at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
              at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
              at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
              at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
              at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
              ... 10 more
       

      It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.

      Attachments

        Issue Links

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: