Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4417

FIPS mode: Setting jsse element in security domain with JKS keystore leads to exception.

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Trivial
    • Resolution: Done
    • Affects Version/s: 7.0.0.CR1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:

      OpenJDK/Oracle java

    • Target Release:
    • Steps to Reproduce:
      Hide
      • /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server)
      • exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup
      Show
      /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server) exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup

      Description

      Steps to reproduce:

      • Configure JSK keystore in jsse element in security domain
         /subsystem=security/security-domain=domainWithJsse/jsse=classic:add(keystore={password=keypass,type=JKS,url="file:///${jboss.server.config.dir}/keystore.jks"},server-alias=server) 
      • exception KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs occures on startup

      Probably there is nothing eap can do about that as java makes this check [1]. Just adding here for reference.

      [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u40-b25/sun/security/ssl/KeyManagerFactoryImpl.java#65

      17:04:42,192 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.security.security-domain.service: org.jboss.msc.service.StartException in service jboss.security.security-domain.service: WFLYSEC0012: Unable to start the SecurityDomainService service
      	at org.jboss.as.security.service.SecurityDomainService.start(SecurityDomainService.java:105)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
      	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
      	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
      	at org.jboss.security.JBossJSSESecurityDomain.loadKeyAndTrustStore(JBossJSSESecurityDomain.java:488)
      	at org.jboss.security.JBossJSSESecurityDomain.reloadKeyAndTrustStore(JBossJSSESecurityDomain.java:335)
      	at org.jboss.as.security.service.SecurityDomainService.start(SecurityDomainService.java:102)
      	... 5 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                  Tester:
                  Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: