[jboss-jira] [JBoss JIRA] (WFCORE-2295) org.jboss.as.domain-management does not permit non-JKS file keystore

org.jboss.as.domain-management does not permit non-JKS file keystore -------------------------------------------------------------------- Key: WFCORE-2295 URL: https://issues.jboss.org/browse/WFCORE-2295 Project: WildFly Core Issue Type: Bug Components: Domain Management, Security Environment: Java 1.8.0_121, EAP 6.4.13 Reporter: Rich Lucente Assignee: Brian Stansberry Labels: eap, fips, management, security Attachments: ProviderFileKeyManagerService.java, ProviderFileKeystore.java, ProviderFileTrustManagerService.java, SecurityRealmAddHandler.java org.jboss.as.domain-management subsystem only enables users to specify either a `provider` attribute or a `keystore-path` attribute but not both. Users wishing to use a FIPS 140-2 certified provider are limited to the SunPKCS11 provider on RHEL. Non-JKS JCE providers that require an alternative provider with a keystore-path cannot be configured to secure the management interface. With the recent FIPS 140-2 certification of pure java open source cryptographic modules, government customers seek to secure EAP on multiple operating systems using FIPS certified JCE providers. These same customers must use common criteria certified software and follow DISA security technical implementation guidelines (http://iase.disa.mil/stigs/app-security/app-servers/Pages/jboss.aspx). Currently, EAP 6 is the only option to meet both of those conditions. The attached files incorporate changes to the org.jboss.as.domain.management.security package to enable the use of file-based keystores that rely on alternative JCE providers and that do not use JKS formatted keystores. This configuration with the bouncy castle pure java FIPS 140-2 certified provider and the attached software changes enable securing the management interface: {noformat} ... <security-realm name="ManagementRealmHTTPS"> <server-identities> <ssl protocol="TLS"> <engine enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1 TLSv1.1 TLSv1.2"/> <keystore provider="BCFKS" path="vault/vault.bcfks" relative-to="jboss.home.dir" keystore-password="admin1jboss_" alias="jbossweb" key-password="admin1jboss_"/> </ssl> </server-identities> <authentication> <properties path="https-mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> </security-realm> ... {noformat}