Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3034

CLI with PKCS11 keystore cannot connect to server and throws java.security.KeyManagementException

    Details

      Description

      When trying to connect with CLI to server using PKCS11 (and FIPS):

      • CLI can connect with the old workaround described in 7.0 documentation
        JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
        JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
        
      • When providing -Dwildfly.config.url, no matter what's in the path (even if it's non-existent file), CLI throws following error:
        java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used: FIPS mode: only SunJSSE TrustManagers may be used
        
      • If I set up BOTH the JAVA_OPTS and wildfly-config.xml, the config is parsed properly (throwing errors in case of wrong path, malformed xml etc.) and CLI connects successfully.

      I'm marking it as a blocker now, since this is basically the functionality required by EAP7-610. But the old workaround still works just fine, so I think this isn't high priority if we're ok to postpone the RFE.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  dlofthouse Darran Lofthouse
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: