• Steps to Reproduce:
      Hide must use nss db from /scripts/prepared_artifacts/fipsdb

      git clone
      cd fips
      ./ clean test -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository -fae -Dmaven.test.failure.ignore=true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile=false
      Show must use nss db from /scripts/prepared_artifacts/fipsdb git clone cd fips ./ clean test -Dversion.wildfly.core=3.0.0.Beta26-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER1/jboss-eap-7.1.0.Beta1-maven-repository/maven-repository -fae -Dmaven.test.failure.ignore= true -Dtest=SSLMasterSlaveTwoWayTestCase -DtestLogToFile= false


      When multiple PKCS11 keystores are configured in domain [1][2]. And PKCS11 store contains secret key. Then this exception is thrown on startup intermittently (but very often, cca 50%).

      Unable to find source-code formatter for language: server.log. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      [Host Controller] 10:15:05,526 ERROR [] (MSC service thread 1-4) MSC000001: Failed to start service org.jboss.msc.service.StartException in service WFLYELY00004: Unable to start the service.
      [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(
      [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(
      [Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(
      [Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$
      [Host Controller] 	at
      [Host Controller] Caused by: load failed
      [Host Controller] 	at
      [Host Controller] 	at
      [Host Controller] 	at
      [Host Controller] 	at
      [Host Controller] 	at org.wildfly.extension.elytron.KeyStoreService.start(
      [Host Controller] 	... 5 more
      [Host Controller] Caused by: invalid KeyStore state: found multiple secret keys sharing same CKA_LABEL [my-key]
      [Host Controller] 	at
      [Host Controller] 	at
      [Host Controller] 	... 9 more

      Storing secret key into PKCS11 store is necessary for FIPS Credential store implementation.
                 for (long handle : handles) {
                      attrs = new CK_ATTRIBUTE[] { new CK_ATTRIBUTE(CKA_LABEL) };
                      token.p11.C_GetAttributeValue(, handle, attrs);
                      if (attrs[0].pValue != null) {
                          // there is a CKA_LABEL
                          String cka_label = new String(attrs[0].getCharArray());
                          if (sKeyMap.get(cka_label) == null) {
                              sKeyMap.put(cka_label, new AliasInfo(cka_label));
                          } else {
                              throw new KeyStoreException("invalid KeyStore state: " +
                                      "found multiple secret keys sharing same " +
                                      "CKA_LABEL [" +
                                      cka_label +

      It seems to me problem will be PKCS11 store (system wide) is loaded concurrently multiple times and therefore sometimes JDK check triggers false positive alarm [3].


        Gliffy Diagrams


            Issue Links



                • Assignee:
                  pskopek Peter Škopek
                  pskopek Peter Škopek
                  Need Info from:
                  Darran Lofthouse, Peter Škopek
                • Votes:
                  0 Vote for this issue
                  1 Start watching this issue


                  • Created: