FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used ------------------------------------------------------------- Key: ELY-1639 URL: https://issues.jboss.org/browse/ELY-1639 Project: WildFly Elytron Issue Type: Bug Components: SSL Reporter: Martin Choma Assignee: Jan Kalina Priority: Blocker Attachments: cli-wildfly-config.xml Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception {code} 14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330) at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291) at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45) at org.jboss.modules.Module.run(Module.java:352) at org.jboss.modules.Module.run(Module.java:320) at org.jboss.modules.Main.main(Main.java:593) Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost' at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256) at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203) at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198) at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328) ... 5 more Caused by: java.io.IOException: Failed to obtain SSLContext at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156) at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85) at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222) ... 8 more Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149) at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66) at javax.net.ssl.SSLContext.init(SSLContext.java:282) at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372) at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221) at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208) at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153) ... 10 more {code} It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.