Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10382

To be able configure FIPS compliant providers purely with Elytron subsystem

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • 7.1.0.DR16
    • Security
    • None

      To configure TLS in FIPS mode there have to be java.security file configured as follows (this works fine as expected)

      security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=com.sun.net.ssl.internal.ssl.Provider  SunPKCS11-testPkcs

      Elytron subsystem have capablity to configure security providers. So expectation was the same could be configured purely via elytron subsystem. However it is not true and trying these commands leads to error

      [standalone@localhost:9990 /] /subsystem=elytron/provider-loader=b:add(class-names=[com.sun.net.ssl.internal.ssl.Provider])
{
    "outcome" => "failed",
    "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.b" => "java.lang.ClassNotFoundException: com.sun.net.ssl.internal.ssl.Provider from [Module \"org.wildfly.extension.elytron\" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/eap-versions/7.1.0.DR16/jboss-eap-7.1/modules,/home/mchoma/workspace/eap-versions/7.1.0.DR16/jboss-eap-7.1/modules/system/layers/base))]
    Caused by: java.lang.ClassNotFoundException: com.sun.net.ssl.internal.ssl.Provider from [Module \"org.wildfly.extension.elytron\" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/eap-versions/7.1.0.DR16/jboss-eap-7.1/modules,/home/mchoma/workspace/eap-versions/7.1.0.DR16/jboss-eap-7.1/modules/system/layers/base))]"}},
    "rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/provider-loader=a:add(class-names=[sun.security.pkcs11.SunPKCS11], argument="/usr/java/jdk1.8.0_66_fips_mode/__fips_config_material/pkcs11.cfg")
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/provider-loader=b:add(class-names=[sun.security.provider.Sun])
{"outcome" => "success"}

      After workarounding first problem by adding <path name="com/sun/net/ssl/internal/ssl"/> into module.xml of sun.jdk module there is another error

      [standalone@localhost:9990 /] /subsystem=elytron/provider-loader=c:add(class-names=[com.sun.net.ssl.internal.ssl.Provider], argument="SunPKCS11-testPkcs")
{
    "outcome" => "failed",
    "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.c" => "java.lang.reflect.InvocationTargetException
    Caused by: java.lang.reflect.InvocationTargetException
    Caused by: java.security.ProviderException: Crypto provider not installed: SunPKCS11-testPkcs"}},
    "rolled-back" => true
}
      server.log
      11:07:40,787 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.providers.c: org.jboss.msc.service.StartException in service org.wildfly.security.providers.c: java.lang.reflect.InvocationTargetException
	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:214)
	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:154)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
	at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:179)
	... 7 more
Caused by: java.security.ProviderException: Crypto provider not installed: SunPKCS11-testPkcs
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:142)
	at sun.security.ssl.SunJSSE.<init>(SunJSSE.java:123)
	at com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:51)
	... 12 more

11:07:40,791 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("provider-loader" => "c")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.c" => "java.lang.reflect.InvocationTargetException
    Caused by: java.lang.reflect.InvocationTargetException
    Caused by: java.security.ProviderException: Crypto provider not installed: SunPKCS11-testPkcs"}}

      Please provide possibility to configure EAP in FIPS mode just with elytron subsystem.

            darran.lofthouse@redhat.com Darran Lofthouse
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: