[JBoss JIRA] (WFCORE-1135) Unable to start Wildfly when FIPS is enabled in Domain Mode

Friday, 15 January 2016

    [
https://issues.jboss.org/browse/WFCORE-1135?page=com.atlassian.jira.plugi...
] 

Darran Lofthouse commented on WFCORE-1135:
------------------------------------------

A server which is connecting back to it's HostController can be configured to use
it's JVM wide default SSLContext by executing the following command: -

{noformat}
./host=master/server-config=server-one/ssl=loopback:add(ssl-protocol=Default)
{noformat}

Alternatively a custom SSL configuration can be provided: -

{noformat}
./host=master/server-config=server-three/ssl=loopback:add(ssl-protocol=TLS,
trust-manager-algorithm=SunX509, truststore-type=JKS,
truststore-path=/home/darranl/src/wildfly9/cli-scripts/management-ssl/client.keystore,
truststore-password=keystore_password)
{noformat}

Note:  With the exception of 'ssl-protocol' defaults are not represented in the
management model as the JVM specific default values are used for
'trust-manager-algorithm' and 'truststore-type'.

...
 Unable to start Wildfly when FIPS is enabled in Domain Mode
 -----------------------------------------------------------

                 Key: WFCORE-1135
                 URL: https://issues.jboss.org/browse/WFCORE-1135
             Project: WildFly Core
          Issue Type: Feature Request
          Components: Domain Management, Security
    Affects Versions: 2.0.1.Final
            Reporter: Ryan Emerson
            Assignee: Darran Lofthouse
             Fix For: 2.0.8.Final

 Allow FIPS use in Domain mode. This requires additional logic to standalone, due to the
connections between controllers and servers. 
 Resulting stacktrace when attempting to run domain mode with FIPS enabled at the JVM:
 15:47:39,410 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001:
Failed to start service jboss.host.controller.client: org.jboss.msc.service.StartException
in service jboss.host.controller.client: java.io.IOException: WFLYSRV0117: Unable to
initialise a basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used'

 [Server:server-one] at
org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:133)

 [Server:server-one] at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)

 [Server:server-one] at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)

 [Server:server-one] at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
 [Server:server-one] at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
 [Server:server-one] at java.lang.Thread.run(Thread.java:745) 
 [Server:server-one] Caused by: java.io.IOException: WFLYSRV0117: Unable to initialise a
basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used' 
 [Server:server-one] at
org.jboss.as.server.mgmt.domain.HostControllerConnectionService.getAcceptingSSLContext(HostControllerConnectionService.java:212)
 [Server:server-one] at
org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:108)

 [Server:server-one] ... 5 more  

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006