[
https://issues.jboss.org/browse/ELY-1639?page=com.atlassian.jira.plugin.s...
]
Martin Choma commented on ELY-1639:
-----------------------------------
For record our hipchat communication
{code}
[5:58 PM] Farah Juma: Also, this means that it doesn't work with
key-store-ssl-certificate configured either right?
[7:56 PM] Martin Choma: Hi
[7:56 PM] Farah Juma: Hi Martin
[7:56 PM] Martin Choma: I assume it does not work with key-store-ssl-certificate with same
reason - custom keymanager
[7:57 PM] Farah Juma: ok. so before two-way ssl wasn't working with PKCS#11 and now
one-way ssl doesn't work either
[7:57 PM] Martin Choma: yes exactly
[7:57 PM] Farah Juma: so we probably need to be able to configure the key-manager info
directly in the config like we do for trust-manager
[7:58 PM] Farah Juma: i.e., provider and algorithm
[7:59 PM] Martin Choma: In my view we need to be able to configure JDK keymanager
[7:59 PM] Martin Choma: and then having configurable algorithm will have sense
[8:00 PM] Farah Juma: ok will try to look at this
[8:00 PM] Farah Juma: If I can't finish it tomorrow, I will ask Honza to work on it
while I'm gone
[8:03 PM] Martin Choma: so something like when algorithm is specified try to ask JCA for
instance, otherwise fallback to our custom implementation?
[8:03 PM] Farah Juma: yeah I think so
[8:05 PM] Martin Choma: and (random thoughts) shouldnt we have our custom keymanager
implementation registered in JCA under WildFlyElytronProvider?
[8:06 PM] Farah Juma: good question. perhaps we should ask Darran that, as he had
implemented it originally. I'm not sure if there was a reason why it wasn't
registered
{code}
FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
-------------------------------------------------------------
Key: ELY-1639
URL:
https://issues.jboss.org/browse/ELY-1639
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Reporter: Martin Choma
Assignee: Farah Juma
Priority: Blocker
Attachments: cli-wildfly-config.xml
Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no
key-store-ssl-certificate in wildfly-config.xml) with exception
{code}
14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI:
org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host
'localhost'
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
at
org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
... 8 more
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may
be used
at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
at javax.net.ssl.SSLContext.init(SSLContext.java:282)
at
org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
at
org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
... 10 more
{code}
It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by
jdk FIPS PKCS11.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)