[JBoss JIRA] (WFCORE-644) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

Friday, 3 March 2017



     [
https://issues.jboss.org/browse/WFCORE-644?page=com.atlassian.jira.plugin...
]

Brian Stansberry updated WFCORE-644:
------------------------------------
    Fix Version/s: 3.0.0.Beta8
                       (was: 3.0.0.Beta7)


...
 jboss-cli needs to support using PKCS11 (including FIPS mode)
keystores/truststores
 -----------------------------------------------------------------------------------

                 Key: WFCORE-644
                 URL: https://issues.jboss.org/browse/WFCORE-644
             Project: WildFly Core
          Issue Type: Bug
          Components: CLI
            Reporter: Derek Horton
            Assignee: Darran Lofthouse
            Priority: Critical
             Fix For: 3.0.0.Beta8


 The cli's SSL configuration should be expanded to support using PKCS11
keystores/truststores.  Currently it does not appear to be possible to configure the
keystore/truststore type in the jboss-cli.xml file.
 This is problematic when the JVM is running in FIPS mode.
 The cli throws the following exception on startup:
 $ ./bin/jboss-cli.sh 
 org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS
mode: only SunJSSE TrustManagers may be used
         at
org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
         at
org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
         at
org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.jboss.modules.Module.run(Module.java:312)
         at org.jboss.modules.Main.main(Main.java:460)
 Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
may be used
         at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
         at javax.net.ssl.SSLContext.init(SSLContext.java:283)
         at
org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
         ... 11 more
 It is possible to workaround the issue by setting the javax.net.ssl.keyStore /
javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:
 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE
-Djavax.net.ssl.trustStoreType=PKCS11"                                               
                          
 JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE
-Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"  


--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006