[JBoss JIRA] (WFLY-9973) WildFly 12 IIOP always requires SSL
by Ivan Straka (JIRA)
Ivan Straka created WFLY-9973:
---------------------------------
Summary: WildFly 12 IIOP always requires SSL
Key: WFLY-9973
URL: https://issues.jboss.org/browse/WFLY-9973
Project: WildFly
Issue Type: Bug
Components: IIOP
Affects Versions: 12.0.0.Final, 11.0.0.Final
Reporter: Ivan Straka
Assignee: Tomasz Adamski
When app deployed to WF 10.1 calls an EJB deployed to WF 12.0 via IIOP, the call will fail because WF 12.0 responds (Location Forward message - GIOP protocol) that It requires SSL even if It does not (to the best of my knowledge).
WF 12.0 standard IIOP subystem configuration:
{code:xml}
<subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.0">
<orb socket-binding="iiop"/>
<initializers security="identity" transactions="spec"/>
<security server-requires-ssl="false" client-requires-ssl="false"/>
</subsystem>
{code}
It is observable [here|https://github.com/wildfly/wildfly/blob/10.1.0.Final/iiop-openjdk/sr...] (client side debugging). ssl.target_requires is true and ssl.target_supports is false.
This does not happen when
* server side is WF 10.1 - ssl.target_requires is false and ssl.target_supports is true.
* client side is WF 12.0 - it works due to better condition at client side [here|https://github.com/wildfly/wildfly/blob/12.0.0.Final/iiop-openjdk/sr...] which results to not using SSL
If IIOP subsystem is configured to use iiop ssl socket, It will work - EAP just does not responds correctly if ssl is not configured.
It is possible that I have malconfigured server side EAP and I am missing something.
Deployments used as reproducers are simple.
client-side: simple servlet that calls an EJB
{code:java}
@WebServlet(urlPatterns = "/")
public class ClientServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
try {
Context ctx = new InitialContext(new Properties());
Object iiopObj = ctx.lookup("corbaname:iiop:127.0.0.1:3628#Bean");
BeanHome home = (BeanHome) PortableRemoteObject.narrow(iiopObj, BeanHome.class);
BeanRemote beanRemote = home.create();
String string = beanRemote.invoke();
System.out.println("Bean obtained by IIOP returned: " + string);
resp.getWriter().append("Bean obtained by IIOP returned: ").append(string).append("\n");
} catch (Exception e) {
resp.getWriter().append("Calling bean failed: ");
e.printStackTrace(resp.getWriter());
throw new RuntimeException(e);
}
}
}
{code}
server-side: simple EJB
{code:java}
public class Bean {
public String invoke() {
return "server side invocation: success";
}
}
{code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure
by Rich Lucente (JIRA)
[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ]
Rich Lucente commented on WFLY-9969:
------------------------------------
Also, note that BCFIPS is certified for Java 7 and 8 per the [BCFIPS FAQ|https://www.bouncycastle.org/fips_faq.html#JAVA]:
Q2. What JVMs are the APIs currently certified for?
The current APIs are certified for Java 1.7 and Java 1.8.
Compatibility with Oracle Java 9 would be a re-certification effort for them. Per [Oracle Java Support Roadmap|http://www.oracle.com/technetwork/java/eol-135779.html] Java 8 is supported until January 2019 with paid support going to December 2020 or later. Java 9 and 10 (18.3) are interim releases with Java 11 (18.9) getting long term support. We have many more options with OpenJDK, so also nudge users in that direction.
I'll reach out to [~bilge] to see if we've engaged with Bouncy Castle to nudge them toward Java 18.9 certification once it's available and to look at compatibility (though not certified) with Java 9 and 10 (18.3).
> JDK9 + FIPS BC, unable to configure
> -----------------------------------
>
> Key: WFLY-9969
> URL: https://issues.jboss.org/browse/WFLY-9969
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.Final
> Reporter: Martin Choma
>
> * Configure BouncyCastleFipsProvider in java
> {code:title=$\{jdk9_home\}/conf/security/java.security}
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE BCFIPS
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> security.provider.13=SunPKCS11
> {code}
> * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar
> {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
> * Configure additional logging
> {code}
> /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
> /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
> {code}
> * Run CLI command usink BCFKS key store type
> {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}}
> * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
> {code}
> =========================================================================
> JBoss Bootstrap Environment
> JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
> JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
> JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
> =========================================================================
> ...
> 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
> 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
> ... 8 more
> {code}
> * With same java I can run succesfully this java code
> {code:java|title=TestBCLoaded.java}
> import java.security.*;
> public class TestBCLoaded {
> public static void main(String[] args) {
> Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BCFIPS");
> if (p==null){
> System.out.println("Not Loaded: BCFIPS");
> } else {
> System.out.println("Provider name is " + p.getName());
> System.out.println("Provider version # is " + p.getVersion());
> System.out.println("Provider info is " + p.getInfo());
> }
> }
> }
> {code}
> {code}
> [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded
> Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> Not Loaded: BouncyCastleFipsProvider
> Provider name is BCFIPS
> Provider version # is 0.9
> Provider info is BouncyCastle Security Provider (FIPS edition) v0.90
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9955) Compatibility problem: allow a timeout value of "0" to be set
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/WFLY-9955?page=com.atlassian.jira.plugin.... ]
David Lloyd commented on WFLY-9955:
-----------------------------------
In addition to the management model change to allow zero as a timeout value, I think it might be smart to introduce a {{maximum-timeout}} management model attribute which clamps the configured transaction timeout to the given value. Then a zero value could mean "use the maximum".
> Compatibility problem: allow a timeout value of "0" to be set
> -------------------------------------------------------------
>
> Key: WFLY-9955
> URL: https://issues.jboss.org/browse/WFLY-9955
> Project: WildFly
> Issue Type: Bug
> Components: Transactions
> Reporter: David Lloyd
> Assignee: Tom Jenkinson
>
> Previously we allowed a transaction timeout value of "0" to be set in the transaction subsystem, meaning "no transaction timeout". After the WF 11 changes, we've stopped allowing that value to be set. This behavior should be restored, with "0" translating into some "very large" value.
> The transaction team has indicated that using {{Integer.MAX_VALUE}} has historically exhibited problems, so a different, smaller-but-still-large value should be used in this case.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9970) WildFly 12.0.0.Final + Java 9 ignores @WebServlet
by Анатолий Широков (JIRA)
[ https://issues.jboss.org/browse/WFLY-9970?page=com.atlassian.jira.plugin.... ]
Анатолий Широков updated WFLY-9970:
-----------------------------------
Workaround Description: wildfly-12.0.0.Final\modules\system\layers\base\org\jboss\jandex\main\jandex-2.0.4.Final.jar must be replaced on jandex-2.0.3.Final.jar from wildfly-11.0.0.Final
> WildFly 12.0.0.Final + Java 9 ignores @WebServlet
> -------------------------------------------------
>
> Key: WFLY-9970
> URL: https://issues.jboss.org/browse/WFLY-9970
> Project: WildFly
> Issue Type: Bug
> Components: EE
> Affects Versions: 12.0.0.Final
> Environment: os: Windows Proffessional 7 64 bit
> jdk: Oracle JDK 9.0.4, Oracle JDK 1.8.0_162
> mvn: Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T10:58:13+03:00)
> Reporter: Анатолий Широков
>
> I have WildFly 12.0.0.Final server running on JDK 9. I have simple maven based annotated servlet project: https://github.com/anatoly-spb/simple-annotated-servlet .
> If I build my project with Java 9, WildFly does not see @WebServlet annotation. If I build my project with Java 1.8, WildFly uses @WebServlet annotation and works as expected.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ]
David Lloyd commented on WFLY-9969:
-----------------------------------
Once we require Java 9 (well, probably Java 11), we'll launch in a different way, something like this:
{code:sh}
java "$JAVA_ARGS" \
--module-path boot-modules \
--module org.jboss.modules \
-mp modules \
org.jboss.as.standalone \
-Djboss.home.dir="$JBOSS_HOME" \
-Djboss.server.base.dir="$JBOSS_BASE_DIR" \
"$SERVER_OPTS"
{code}
This means that we could allow extra modules to be installed in a {{boot-modules}} directory, including Java 9 aware security providers which can install themselves even earlier. They still would need the "provides java.security.Provider" in their module descriptor though, so it's probably easier to stick with the JBoss Modules way. See [the Provider JavaDoc in 9+|https://docs.oracle.com/javase/9/docs/api/java/security/Provider.html] for more information on that.
> JDK9 + FIPS BC, unable to configure
> -----------------------------------
>
> Key: WFLY-9969
> URL: https://issues.jboss.org/browse/WFLY-9969
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.Final
> Reporter: Martin Choma
>
> * Configure BouncyCastleFipsProvider in java
> {code:title=$\{jdk9_home\}/conf/security/java.security}
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE BCFIPS
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> security.provider.13=SunPKCS11
> {code}
> * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar
> {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
> * Configure additional logging
> {code}
> /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
> /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
> {code}
> * Run CLI command usink BCFKS key store type
> {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}}
> * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
> {code}
> =========================================================================
> JBoss Bootstrap Environment
> JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
> JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
> JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
> =========================================================================
> ...
> 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
> 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
> ... 8 more
> {code}
> * With same java I can run succesfully this java code
> {code:java|title=TestBCLoaded.java}
> import java.security.*;
> public class TestBCLoaded {
> public static void main(String[] args) {
> Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BCFIPS");
> if (p==null){
> System.out.println("Not Loaded: BCFIPS");
> } else {
> System.out.println("Provider name is " + p.getName());
> System.out.println("Provider version # is " + p.getVersion());
> System.out.println("Provider info is " + p.getInfo());
> }
> }
> }
> {code}
> {code}
> [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded
> Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> Not Loaded: BouncyCastleFipsProvider
> Provider name is BCFIPS
> Provider version # is 0.9
> Provider info is BouncyCastle Security Provider (FIPS edition) v0.90
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ]
David Lloyd commented on WFLY-9969:
-----------------------------------
For registering it globally - in WildFly at least...
* If we want BC to always be registered in WildFly, it should be added as a dependency to the boot module(s) along with a {{META-INF/services}} file which lists any Provider classes in BC that we want to register (I assume just one but this strategy supports more than one).
* In jboss-modules 1.8+, you can now add an "-add-provider <module-name>/<class-name>" argument and have that provided loaded and installed at boot as well.
> JDK9 + FIPS BC, unable to configure
> -----------------------------------
>
> Key: WFLY-9969
> URL: https://issues.jboss.org/browse/WFLY-9969
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.Final
> Reporter: Martin Choma
>
> * Configure BouncyCastleFipsProvider in java
> {code:title=$\{jdk9_home\}/conf/security/java.security}
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE BCFIPS
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> security.provider.13=SunPKCS11
> {code}
> * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar
> {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
> * Configure additional logging
> {code}
> /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
> /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
> {code}
> * Run CLI command usink BCFKS key store type
> {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}}
> * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
> {code}
> =========================================================================
> JBoss Bootstrap Environment
> JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
> JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
> JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
> =========================================================================
> ...
> 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
> 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
> ... 8 more
> {code}
> * With same java I can run succesfully this java code
> {code:java|title=TestBCLoaded.java}
> import java.security.*;
> public class TestBCLoaded {
> public static void main(String[] args) {
> Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BCFIPS");
> if (p==null){
> System.out.println("Not Loaded: BCFIPS");
> } else {
> System.out.println("Provider name is " + p.getName());
> System.out.println("Provider version # is " + p.getVersion());
> System.out.println("Provider info is " + p.getInfo());
> }
> }
> }
> {code}
> {code}
> [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded
> Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> Not Loaded: BouncyCastleFipsProvider
> Provider name is BCFIPS
> Provider version # is 0.9
> Provider info is BouncyCastle Security Provider (FIPS edition) v0.90
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months
[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ]
David Lloyd edited comment on WFLY-9969 at 3/7/18 7:48 AM:
-----------------------------------------------------------
For registering it globally - in WildFly at least...
* If we want BC to always be registered in WildFly, it should be added as a dependency to the boot module(s) along with a {{META-INF/services}} file which lists any Provider classes in BC that we want to register (I assume just one but this strategy supports more than one).
* In jboss-modules 1.8+, you can now add an "-add-provider <module-name>/<class-name>" argument and have that provider loaded and installed at boot as well.
was (Author: dmlloyd):
For registering it globally - in WildFly at least...
* If we want BC to always be registered in WildFly, it should be added as a dependency to the boot module(s) along with a {{META-INF/services}} file which lists any Provider classes in BC that we want to register (I assume just one but this strategy supports more than one).
* In jboss-modules 1.8+, you can now add an "-add-provider <module-name>/<class-name>" argument and have that provided loaded and installed at boot as well.
> JDK9 + FIPS BC, unable to configure
> -----------------------------------
>
> Key: WFLY-9969
> URL: https://issues.jboss.org/browse/WFLY-9969
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 12.0.0.Final
> Reporter: Martin Choma
>
> * Configure BouncyCastleFipsProvider in java
> {code:title=$\{jdk9_home\}/conf/security/java.security}
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE BCFIPS
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> security.provider.13=SunPKCS11
> {code}
> * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar
> {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
> * Configure additional logging
> {code}
> /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
> /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
> {code}
> * Run CLI command usink BCFKS key store type
> {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}}
> * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
> {code}
> =========================================================================
> JBoss Bootstrap Environment
> JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
> JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
> JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
> =========================================================================
> ...
> 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
> 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
> at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
> ... 8 more
> {code}
> * With same java I can run succesfully this java code
> {code:java|title=TestBCLoaded.java}
> import java.security.*;
> public class TestBCLoaded {
> public static void main(String[] args) {
> Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BouncyCastleFipsProvider");
> if (p==null){
> System.out.println("Not Loaded: BouncyCastleFipsProvider");
> }
> p = Security.getProvider("BCFIPS");
> if (p==null){
> System.out.println("Not Loaded: BCFIPS");
> } else {
> System.out.println("Provider name is " + p.getName());
> System.out.println("Provider version # is " + p.getVersion());
> System.out.println("Provider info is " + p.getInfo());
> }
> }
> }
> {code}
> {code}
> [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded
> Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> Not Loaded: BouncyCastleFipsProvider
> Provider name is BCFIPS
> Provider version # is 0.9
> Provider info is BouncyCastle Security Provider (FIPS edition) v0.90
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 4 months