March 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma commented on WFLY-9969: ------------------------------------ Letting you know, because you may be interested [~fjuma] [~dmlloyd] [~rlucente-se-jboss]. Can't you spot a problem in my configuration? > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command usink BCFKS key store type > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > * With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {code} > [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9968) Provides jboss-deployment-structure.xml for all known applications, or a tool to generate it.

by Gaétan QUENTIN (JIRA)

[ https://issues.jboss.org/browse/WFLY-9968?page=com.atlassian.jira.plugin.... ] Gaétan QUENTIN updated WFLY-9968: --------------------------------- Summary: Provides jboss-deployment-structure.xml for all known applications, or a tool to generate it. (was: Provides jboss-deployment-structure.xml for all known applications) > Provides jboss-deployment-structure.xml for all known applications, or a tool to generate it. > --------------------------------------------------------------------------------------------- > > Key: WFLY-9968 > URL: https://issues.jboss.org/browse/WFLY-9968 > Project: WildFly > Issue Type: Feature Request > Components: CLI, Documentation > Affects Versions: 10.0.0.Final, 11.0.0.Final, 12.0.0.Final > Environment: all > Reporter: Gaétan QUENTIN > Assignee: Jean-Francois Denise > > It is very painfull to deploy applications since modules system introduction. > The modules conflicts it has introduced is very difficult to understand , and we cannot afford to waste so many time to deploy war applications , trying to desactivate some modules or some subsystems and see what happens. > Exemple? apache archiva. Since wildfly 10, i desesperatly try to integrate it as war in wildfly. > There is always conflicts: first of one is cxf. But if you exclude it, there are bunch of others problems etc. > So, couldn't it be possible for you to provide the jboss-deployment-structure.xml needed for each well known application, or better, provide a tool which would do it automaticaly? -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9962) ReverseProxyTestCase fails when running after ForwardedHandlerTestCase

by Jan Stourac (JIRA)

[ https://issues.jboss.org/browse/WFLY-9962?page=com.atlassian.jira.plugin.... ] Jan Stourac commented on WFLY-9962: ----------------------------------- Root of the problem is caused by the fact that {{ForwardedHandler}} is actually executed after the {{ForwardedTestHelperHandler}} that prepares value of {{forwarded-test-header}} header which is then checked and compared in the test itself. Since I don't know how to effectively prioritize handlers in this case (registered via undertow-handlers.conf and via jboss-web.xml) and since functionality this test checks is effectively covered by combination of following two tests: {code} testRewriteGlobalSettings testRewriteWithUndertowHandlersServlet {code} I decided to remove the test that started to fail after the added reload operation. Here is my [MR|https://github.com/wildfly/wildfly/pull/10980]. > ReverseProxyTestCase fails when running after ForwardedHandlerTestCase > ---------------------------------------------------------------------- > > Key: WFLY-9962 > URL: https://issues.jboss.org/browse/WFLY-9962 > Project: WildFly > Issue Type: Bug > Components: Test Suite > Affects Versions: 12.0.0.Final > Reporter: Jan Kalina > > When ForwardedHandlerTestCase installs {{/subsystem=undertow/configuration=filter/expression-filter=ff}}, even through it removes it after, {{/proxy}} location defined as part of ReverseProxyTestCase setup returns error 404: > {code} > testReverseProxy(org.jboss.as.test.integration.web.reverseproxy.ReverseProxyTestCase) Time elapsed: 0.087 sec <<< FAILURE! > java.lang.AssertionError: expected:<200> but was:<404> > {code} > * Direct calling of {{/server1/name}} and {{/server2/name}} from the same tests gives 200 correctly. > * When I comment out the ff filter setup (or skip whole ForwardedHandlerTestCase), ReverseProxyTestCase suceed. > * When I copy configuration and deployments from running test and run in standalone server outside of test, proxy works correctly. > As it is unrelated to my original issue in the end, keeping unassigned. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9962) ReverseProxyTestCase fails when running after ForwardedHandlerTestCase

by Jan Stourac (JIRA)

[ https://issues.jboss.org/browse/WFLY-9962?page=com.atlassian.jira.plugin.... ] Jan Stourac reassigned WFLY-9962: --------------------------------- Assignee: Jan Stourac > ReverseProxyTestCase fails when running after ForwardedHandlerTestCase > ---------------------------------------------------------------------- > > Key: WFLY-9962 > URL: https://issues.jboss.org/browse/WFLY-9962 > Project: WildFly > Issue Type: Bug > Components: Test Suite > Affects Versions: 12.0.0.Final > Reporter: Jan Kalina > Assignee: Jan Stourac > > When ForwardedHandlerTestCase installs {{/subsystem=undertow/configuration=filter/expression-filter=ff}}, even through it removes it after, {{/proxy}} location defined as part of ReverseProxyTestCase setup returns error 404: > {code} > testReverseProxy(org.jboss.as.test.integration.web.reverseproxy.ReverseProxyTestCase) Time elapsed: 0.087 sec <<< FAILURE! > java.lang.AssertionError: expected:<200> but was:<404> > {code} > * Direct calling of {{/server1/name}} and {{/server2/name}} from the same tests gives 200 correctly. > * When I comment out the ff filter setup (or skip whole ForwardedHandlerTestCase), ReverseProxyTestCase suceed. > * When I copy configuration and deployments from running test and run in standalone server outside of test, proxy works correctly. > As it is unrelated to my original issue in the end, keeping unassigned. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9969: ------------------------------- Description: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} * With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {code} [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 {code} was: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command usink BCFKS key store type > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > * With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {code} > [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9969: ------------------------------- Description: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} * With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {code} [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 {code} was: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} * With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {code} [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 {code} > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command usink BCFKS key store type > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > * With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {code} > [mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90 > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9969: ------------------------------- Description: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} was: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command usink BCFKS key store type > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-9969: ------------------------------- Description: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command usink BCFKS key store type {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} was: * Configure BouncyCastleFipsProvider in java {code:title=$\{jdk9_home\}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in ${jboss_home}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command usink BCFKS key store type > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.... ] Martin Choma reassigned WFLY-9969: ---------------------------------- Assignee: (was: Darran Lofthouse) > JDK9 + FIPS BC, unable to configure > ----------------------------------- > > Key: WFLY-9969 > URL: https://issues.jboss.org/browse/WFLY-9969 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 12.0.0.Final > Reporter: Martin Choma > > * Configure BouncyCastleFipsProvider in java > {code:title=$\{jdk9_home\}/conf/security/java.security} > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > security.provider.2=SUN > security.provider.3=SunRsaSign > security.provider.4=SunEC > security.provider.5=SunJSSE BCFIPS > security.provider.6=SunJCE > security.provider.7=SunJGSS > security.provider.8=SunSASL > security.provider.9=XMLDSig > security.provider.10=SunPCSC > security.provider.11=JdkLDAP > security.provider.12=JdkSASL > security.provider.13=SunPKCS11 > {code} > * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in ${jboss_home}/bin/standalone.conf put -cp option with bcfips jar > {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} > * Configure additional logging > {code} > /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) > /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) > {code} > * Run CLI command > {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} > * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved > {code} > ========================================================================= > JBoss Bootstrap Environment > JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 > JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java > JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n > ========================================================================= > ... > 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] > 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) > at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.base/java.lang.Thread.run(Thread.java:844) > Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) > at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) > ... 8 more > {code} > With same java I can run succesfully this java code > {code:java|title=TestBCLoaded.java} > import java.security.*; > public class TestBCLoaded { > public static void main(String[] args) { > Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); > } > p = Security.getProvider("BouncyCastleFipsProvider"); > if (p==null){ > System.out.println("Not Loaded: BouncyCastleFipsProvider"); > } > p = Security.getProvider("BCFIPS"); > if (p==null){ > System.out.println("Not Loaded: BCFIPS"); > } else { > System.out.println("Provider name is " + p.getName()); > System.out.println("Provider version # is " + p.getVersion()); > System.out.println("Provider info is " + p.getInfo()); > } > } > } > {code} > {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded > Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > Not Loaded: BouncyCastleFipsProvider > Provider name is BCFIPS > Provider version # is 0.9 > Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

by Martin Choma (JIRA)

Martin Choma created WFLY-9969: ---------------------------------- Summary: JDK9 + FIPS BC, unable to configure Key: WFLY-9969 URL: https://issues.jboss.org/browse/WFLY-9969 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 12.0.0.Final Reporter: Martin Choma Assignee: Darran Lofthouse * Configure BouncyCastleFipsProvider in java {code:title=${jdk9_home}/conf/security/java.security} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=SUN security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE BCFIPS security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11 {code} * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GU.... It means in ${jboss_home}/bin/standalone.conf put -cp option with bcfips jar {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}} * Configure additional logging {code} /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL) {code} * Run CLI command {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}} * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved {code} ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2 JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n ========================================================================= ... 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0] 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service. at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693) at org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads@2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS' at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156) at org.wildfly.extension.elytron@4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110) ... 8 more {code} With same java I can run succesfully this java code {code:java|title=TestBCLoaded.java} import java.security.*; public class TestBCLoaded { public static void main(String[] args) { Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); } p = Security.getProvider("BouncyCastleFipsProvider"); if (p==null){ System.out.println("Not Loaded: BouncyCastleFipsProvider"); } p = Security.getProvider("BCFIPS"); if (p==null){ System.out.println("Not Loaded: BCFIPS"); } else { System.out.println("Provider name is " + p.getName()); System.out.println("Provider version # is " + p.getVersion()); System.out.println("Provider info is " + p.getInfo()); } } } {code} {{[mchoma@localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider Not Loaded: BouncyCastleFipsProvider Provider name is BCFIPS Provider version # is 0.9 Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira March 2018