Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-644

jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Critical
    • 3.0.0.Beta11
    • None
    • CLI
    • None

    Description

      The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores. Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file.

      This is problematic when the JVM is running in FIPS mode.

      The cli throws the following exception on startup:

      $ ./bin/jboss-cli.sh
      org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
      at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
      at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
      at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
      at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
      at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
      at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at org.jboss.modules.Module.run(Module.java:312)
      at org.jboss.modules.Main.main(Main.java:460)
      Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
      at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
      at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
      at javax.net.ssl.SSLContext.init(SSLContext.java:283)
      at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
      ... 11 more

      It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:

      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
      JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"

      Attachments

        Issue Links

          is cloned by

          Requirement - Used for conducting internal reviews of our products and process with 3rd party auditors JBEAP-7129 [DOC RFE] jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              rhn-support-dehort Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: