Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3789

Using JKS keystore leads to "FIPS mode: KeyStore must be from provider XXX"

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 7.0.0.ER6
    • Fix Version/s: None
    • Component/s: Management, Security
    • Labels:
      None
    • Target Release:
    • Affects:
      Documentation (Ref Guide, User Guide, etc.)

      Description

      User can't start domain in FIPS mode when JKS keystore is used in master <-> slave host controllers communication. (Using PKCS11 keystore works well)

      [Host Controller] 14:05:47,900 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.server.controller.management.security_realm.MasterManagementRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.MasterManagementRealm.key-manager: WFLYDM0018: Unable to start service
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
      [Host Controller]       at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:147)
      [Host Controller]       at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
      [Host Controller]       at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
      [Host Controller]       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      [Host Controller]       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      [Host Controller]       at java.lang.Thread.run(Thread.java:745)
      [Host Controller] Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
      [Host Controller]       at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      [Host Controller]       at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:121)
      [Host Controller]       at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:83)
      [Host Controller]       ... 6 more
      

      If I understood from code correctly [1], there is nothing EAP can do about it. Just adding here for reference.

      [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/KeyManagerFactoryImpl.java#65

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: