Re: [wildfly-dev] Supporting FIPS in domain mode

On 19/11/15 15:50, Brian Stansberry wrote: > Darran's the expert on this, but my initial naive question is whether > this can be split into two logical use cases: > > 1) Where we know TLS is not going to be used on the HC<->server > connection. > > 2) Where we don't know that. > > I ask because if case 2 is harder or requires changes that don't belong > in a micro release (e.g. management model changes) perhaps we can first > deal with case 1. My impression from the initial bug report is that > SSL/TLS was not configured on the host's management interfaces. To get to the error in the bug report the underlying user has taken these two steps: - 1 - Configure the JVM to be FIPS Compliant. 2 - Start a default domain configuration. They have experienced the error and reported it to us. I would be very surprised if they were not planning to subsequently enable TLS for the remote communication with the HostController.

I suppose at a push master may have no application server instances but have TLS enable for remote communication and the individual slave host controllers only bind management to loopback so don't enable TLS.

> > On 11/19/15 4:25 AM, Ryan Emerson wrote: >> Hello All, >> >> Currently domain mode is unable to execute when the JVM has FIPS >> enabled. See [1] for example config files and the resulting stacktrace. >> >> I am looking into this issue (SET engineer), however my current >> knowledge of core and FIPS is limited. What are your thoughts on how >> to implement FIPS compatibility? Is there any fundamental reasons why >> such a feature shouldn't be supported? >> >> [1] https://issues.jboss.org/browse/WFCORE-1135 >> >> Thanks >> Ryan >> _______________________________________________ >> wildfly-dev mailing list >> wildfly-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/wildfly-dev >> > >