[JBoss JIRA] (WFCORE-644) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

Friday, 23 September 2016

    [
https://issues.jboss.org/browse/WFCORE-644?page=com.atlassian.jira.plugin...
] 

Darran Lofthouse commented on WFCORE-644:
-----------------------------------------

[~aloubyansky] FYI I have taken this one as the Elytron changes make Elytron client
configuration usable within the CLI and there we can perform advanced SSL configuration to
cover this kind of scenario.

...
 jboss-cli needs to support using PKCS11 (including FIPS mode)
keystores/truststores
 -----------------------------------------------------------------------------------

                 Key: WFCORE-644
                 URL: https://issues.jboss.org/browse/WFCORE-644
             Project: WildFly Core
          Issue Type: Bug
          Components: CLI
            Reporter: Derek Horton
            Assignee: Darran Lofthouse

 The cli's SSL configuration should be expanded to support using PKCS11
keystores/truststores.  Currently it does not appear to be possible to configure the
keystore/truststore type in the jboss-cli.xml file.
 This is problematic when the JVM is running in FIPS mode.
 The cli throws the following exception on startup:
 $ ./bin/jboss-cli.sh 
 org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS
mode: only SunJSSE TrustManagers may be used
         at
org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
         at
org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
         at
org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.jboss.modules.Module.run(Module.java:312)
         at org.jboss.modules.Main.main(Main.java:460)
 Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
may be used
         at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
         at javax.net.ssl.SSLContext.init(SSLContext.java:283)
         at
org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
         ... 11 more
 It is possible to workaround the issue by setting the javax.net.ssl.keyStore /
javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:
 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE
-Djavax.net.ssl.trustStoreType=PKCS11"                                               

 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE
-Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"  

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006