Uploaded image for project: 'Remoting JMX'
  1. Remoting JMX
  2. REMJMX-142

Elytron, JMX client fails to work when the JVM is running in FIPS mode

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 3.0.0.Beta5
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      • Configure the JVM in FIPS mode
      • Configure default client ssl context
        /subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+})
        /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store)
        /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1])
        /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}])
        /:reload
        
      • Create a remote JMX connection within a deployed application:
        JmxClientServlet.java
            @Override
            public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{
                try {
                  Map<String,String> environment = new HashMap<String,String>();
                  environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx");
                  JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999");
                  JMXConnectorFactory.connect(url, environment);
                  print(response, "OK");
                } catch( Exception e ) {
                  print(response, "FAIL "+e);
                  System.out.println("*** Error:"+e.getMessage());
                  e.printStackTrace();
                }
            }
        
      Show
      Configure the JVM in FIPS mode Configure default client ssl context /subsystem=elytron/key-store=key-store:add(name=key-store, type=PKCS11, credential-reference={clear-text => pass123+}) /subsystem=elytron/trust-managers=trust-manager:add(name=trust-manager, key-store=key-store) /subsystem=elytron/client-ssl-context=client-ssl-context:add(cipher-suite-filter=TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA, trust-managers=trust-manager, protocols=[TLSv1.1]) /subsystem=elytron/authentication-context=authentication-context:add(match-rules=[{ssl-context => client-ssl-context}]) /:reload Create a remote JMX connection within a deployed application: JmxClientServlet.java @Override public void doGet(HttpServletRequest request, final HttpServletResponse response) throws ServletException,IOException{ try { Map< String , String > environment = new HashMap< String , String >(); environment.put( "jmx.remote.protocol.provider.pkgs" , "org.jboss.remotingjmx" ); JMXServiceURL url = new JMXServiceURL( "service:jmx:remoting-jmx: //localhost:9999" ); JMXConnectorFactory.connect(url, environment); print(response, "OK" ); } catch ( Exception e ) { print(response, "FAIL " +e); System .out.println( "*** Error:" +e.getMessage()); e.printStackTrace(); } }

      Description

      The JMX client fails to work when the JVM is running in FIPS mode.
      There should be possible to configure client ssl context with Elytron. However doing so, still javax.net.ssl.SSLContext.getDefault() is called which fails with the following stacktrace:

      server.log
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Completed open of endpoint "endpoint" <67ce59be>
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 1 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote)
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote': Remoting remote connection provider 42a0d0b7 for endpoint "endpoint" <67ce59be>
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 2 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+tls)
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+tls': Remoting remote connection provider 7dc22d9b for endpoint "endpoint" <67ce59be>
      10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 3 of endpoint "endpoint" <67ce59be> (opened Connection provider for remoting)
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remoting': Remoting remote connection provider 194d9579 for endpoint "endpoint" <67ce59be>
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 4 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+http)
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+http': Remoting remote connection provider 21f0cb0a for endpoint "endpoint" <67ce59be>
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 5 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+https)
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+https': Remoting remote connection provider 27b862 for endpoint "endpoint" <67ce59be>
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 6 of endpoint "endpoint" <67ce59be> (opened Connection provider for http-remoting)
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'http-remoting': Remoting remote connection provider 422cda30 for endpoint "endpoint" <67ce59be>
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 7 of endpoint "endpoint" <67ce59be> (opened Connection provider for https-remoting)
      10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'https-remoting': Remoting remote connection provider 55cb3d77 for endpoint "endpoint" <67ce59be>
      10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
      10:55:00,764 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
      10:55:00,764 WARN  [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
      10:55:00,765 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
      10:55:00,772 INFO  [stdout] (default task-1) *** Error:JBREM000212: Failed to configure SSL context
      10:55:00,773 ERROR [stderr] (default task-1) java.io.IOException: JBREM000212: Failed to configure SSL context
      10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497)
      10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:487)
      10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:241)
      10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:158)
      10:55:00,773 ERROR [stderr] (default task-1) 	at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:105)
      10:55:00,773 ERROR [stderr] (default task-1) 	at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
      10:55:00,773 ERROR [stderr] (default task-1) 	at com.redhat.eap.qe.fips.standalone.elytron.client.jmx.JmxClientServlet.doGet(JmxClientServlet.java:33)
      10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      10:55:00,773 ERROR [stderr] (default task-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      10:55:00,773 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      10:55:00,774 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      10:55:00,774 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      10:55:00,775 ERROR [stderr] (default task-1) 	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      10:55:00,775 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
      10:55:00,776 ERROR [stderr] (default task-1) 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
      10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      10:55:00,776 ERROR [stderr] (default task-1) 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      10:55:00,776 ERROR [stderr] (default task-1) 	at java.lang.Thread.run(Thread.java:745)
      10:55:00,776 ERROR [stderr] (default task-1) Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
      10:55:00,776 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1617)
      10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
      10:55:00,776 ERROR [stderr] (default task-1) 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
      10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
      10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
      10:55:00,777 ERROR [stderr] (default task-1) 	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:183)
      10:55:00,777 ERROR [stderr] (default task-1) 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:495)
      10:55:00,777 ERROR [stderr] (default task-1) 	... 46 more
      10:55:00,777 ERROR [stderr] (default task-1) Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
      10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      10:55:00,777 ERROR [stderr] (default task-1) 	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
      10:55:00,777 ERROR [stderr] (default task-1) 	at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
      10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      10:55:00,777 ERROR [stderr] (default task-1) 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      10:55:00,778 ERROR [stderr] (default task-1) 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      10:55:00,778 ERROR [stderr] (default task-1) 	at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
      10:55:00,778 ERROR [stderr] (default task-1) 	at java.security.Provider$Service.newInstance(Provider.java:1595)
      10:55:00,778 ERROR [stderr] (default task-1) 	... 52 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: