[wildfly-dev] Supporting FIPS in domain mode

Brian Stansberry brian.stansberry at redhat.com
Thu Nov 19 11:38:26 EST 2015 

On 11/19/15 10:07 AM, Darran Lofthouse wrote:
> On 19/11/15 15:50, Brian Stansberry wrote:
>> Darran's the expert on this, but my initial naive question is whether
>> this can be split into two logical use cases:
>>
>> 1) Where we know TLS is not going to be used on the HC<->server
>> connection.
>>
>> 2) Where we don't know that.
>>
>> I ask because if case 2 is harder or requires changes that don't belong
>> in a micro release (e.g. management model changes) perhaps we can first
>> deal with case 1. My impression from the initial bug report is that
>> SSL/TLS was not configured on the host's management interfaces.
>
> To get to the error in the bug report the underlying user has taken
> these two steps: -
>   1 - Configure the JVM to be FIPS Compliant.
>   2 - Start a default domain configuration.
>
> They have experienced the error and reported it to us.
>
> I would be very surprised if they were not planning to subsequently
> enable TLS for the remote communication with the HostController.
>

I can't say I disagree. :)

> I suppose at a push master may have no application server instances but
> have TLS enable for remote communication and the individual slave host
> controllers only bind management to loopback so don't enable TLS.
>

With WildFly 9/10 the intra-domain comms can be running on a completely 
separate network from non-management stuff, so the possibility that 
traffic doesn't use TLS is a bit greater. But still not likely. In 
earlier versions this kind of setup is harder since CLI would talk to 
the DC over the same interface intra-domain comms use. With WF 9/10 the 
CLI could use HTTP Upgrade to talk to the DC on one network while 
intra-domain comms are on another network using the old native interface.

>>
>> On 11/19/15 4:25 AM, Ryan Emerson wrote:
>>> Hello All,
>>>
>>> Currently domain mode is unable to execute when the JVM has FIPS
>>> enabled. See [1] for example config files and the resulting stacktrace.
>>>
>>> I am looking into this issue (SET engineer), however my current
>>> knowledge of core and FIPS is limited.  What are your thoughts on how
>>> to implement FIPS compatibility? Is there any fundamental reasons why
>>> such a feature shouldn't be supported?
>>>
>>> [1] https://issues.jboss.org/browse/WFCORE-1135
>>>
>>> Thanks
>>> Ryan
>>> _______________________________________________
>>> wildfly-dev mailing list
>>> wildfly-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>>
>>
>>


-- 
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat

More information about the wildfly-dev mailing list