CLI with PKCS11 keystore cannot connect to server and throws java.security.KeyManagementException ------------------------------------------------------------------------------------------------- Key: WFCORE-3034 URL: https://issues.jboss.org/browse/WFCORE-3034 Project: WildFly Core Issue Type: Bug Components: Security Reporter: Darran Lofthouse Assignee: Darran Lofthouse Priority: Blocker Labels: eap7.1-rfe-failure Fix For: 3.0.0.Beta28 When trying to connect with CLI to server using PKCS11 (and FIPS): * CLI can connect with the old workaround described in 7.0 documentation {code} JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword" {code} * When providing -Dwildfly.config.url, no matter what's in the path (even if it's non-existent file), CLI throws following error: {code} java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used: FIPS mode: only SunJSSE TrustManagers may be used {code} * If I set up BOTH the JAVA_OPTS and wildfly-config.xml, the config is parsed properly (throwing errors in case of wrong path, malformed xml etc.) and CLI connects successfully. I'm marking it as a blocker now, since this is basically the functionality required by EAP7-610. But the old workaround still works just fine, so I think this isn't high priority if we're ok to postpone the RFE.