[
https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.s...
]
Martin Choma commented on ELY-1622:
-----------------------------------
You are right.
I have tried to use key-store-ssl-certificate in wildfly-config.xml which effectively mean
ConfigurationKeyManager is used in SSLContext and it does not complain. Its because BC
TLS ProvSSLContextSpi is used, which seems does not have such strong enforcement like Sun
SSLContext implementation.
[~rlucente-se-jboss] is it correct to assume if certified BC TLS ProvSSLContextSpi does
not prohibit custom keymanagers we can use one on client side?
BC FIPS with CLI: SunX509 KeyManagerFactory not available
---------------------------------------------------------
Key: ELY-1622
URL:
https://issues.jboss.org/browse/ELY-1622
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Affects Versions: 1.5.1.Final
Reporter: Martin Choma
Assignee: Farah Juma
Priority: Blocker
Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is
enough BC FIPS is used only on client side.
{code:java|titlejboss-cli.log}
11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI:
org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host
'localhost'
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
at
org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
at
org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
... 8 more
Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException:
SunX509 KeyManagerFactory not available
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
at javax.net.ssl.SSLContext.init(SSLContext.java:282)
at
org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
at
org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
at
org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
at
org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
... 10 more
Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not
available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
... 17 more
{code}
When I use non-FIPS java with CLI I can make it work. It does occure also when connecting
to default unsecured port 9990.
When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
I believe problem is I cant configure algorithm for keymanager on client side in
wildfly-config.xml. (At least I don't see how could I do so).
BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)