9:19 a.m.
[
https://issues.jboss.org/browse/ELY-1578?page=com.atlassian.jira.plugin.s...
]
Rich Lucente commented on ELY-1578:
-----------------------------------
@choma I was able to prefix the database directory with "dbm:" and that
generated the older style files. The commands would look like:
{code:java}
mkdir -p $HOME/fipsdb
modutil -force -dbdir dbm:$HOME/fipsdb -create
modutil -force -dbdir dbm:$HOME/fipsdb -fips true
{code}
I agree that sql: as the default does cause issues with script backwards compatibility.
Upgrade to Fedora 28 breaks FIPS scenarios
------------------------------------------
Key: ELY-1578
URL: https://issues.jboss.org/browse/ELY-1578
Project: WildFly Elytron
Issue Type: Bug
Affects Versions: 1.3.1.Final
Reporter: Martin Choma
On Fedora 28 I get
{code}
14:52:28,813 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001:
Failed to start service jboss.as: org.jboss.msc.service.StartException in service
jboss.as: Failed to start service
at
org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1706)
at
org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
at
org.jboss.threads@2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: java.security.ProviderException: NSS module not available: fips
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:278)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:113)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:110)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:110)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:247)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:238)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:238)
at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:218)
at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.base/java.security.Security.getImpl(Security.java:697)
at java.base/java.security.MessageDigest.getInstance(MessageDigest.java:178)
at
org.jboss.as.deployment-repository@5.0.0.Alpha-redhat-20180502//org.jboss.as.repository.ContentRepositoryImpl.<init>(ContentRepositoryImpl.java:90)
at
org.jboss.as.deployment-repository@5.0.0.Alpha-redhat-20180502//org.jboss.as.repository.ContentRepository$Factory.addService(ContentRepository.java:185)
at
org.jboss.as.server@5.0.0.Alpha-redhat-20180502//org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:144)
at
org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
at
org.jboss.msc@1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
... 6 more
{code}
In Fedora 28 there is nss 3.36.1 (dnf info nss.x86_64)
In Fedora 27 there was 3.33
https://fedora.pkgs.org/27/fedora-x86_64/nss-3.33.0-1.0.fc27.x86_64.rpm.html
In nss 3.35 there was switch of format to SQL [1]
??Applications using NSS may explicitly request to use a specific database format, by
adding a type prefix to the database directory, provided at NSS initialization time. ??
But I am not sure how to define that in java. I am using
{code:pkcs11.cfg}
name = testPkcs
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /opt/java/jdk-9.0.1_fips/fips/nssdb
nssDbMode = readOnly
nssModule = fips
{code}
I am awaer there is probably nothing that can be done in Elytron. I think it is matter of
NSS/SunPKCS11 configuration. I create this JIRA as a place for finding out what the
problem is.
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_re...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2915
days inactive
2915
days old
0 comments
1 participants
participants (1)
-
Rich Lucente (JIRA)