Re: [wildfly-dev] Supporting FIPS in domain mode
On 19/11/15 15:50, Brian Stansberry wrote:
Darran's the expert on this, but my initial naive question is
whether
this can be split into two logical use cases:
1) Where we know TLS is not going to be used on the HC<->server connection.
2) Where we don't know that.
I ask because if case 2 is harder or requires changes that don't belong
in a micro release (e.g. management model changes) perhaps we can first
deal with case 1. My impression from the initial bug report is that
SSL/TLS was not configured on the host's management interfaces.
To get to the error in the bug report the underlying user has taken
these two steps: -
1 - Configure the JVM to be FIPS Compliant.
2 - Start a default domain configuration.
They have experienced the error and reported it to us.
I would be very surprised if they were not planning to subsequently
enable TLS for the remote communication with the HostController.
I suppose at a push master may have no application server instances but
have TLS enable for remote communication and the individual slave host
controllers only bind management to loopback so don't enable TLS.
On 11/19/15 4:25 AM, Ryan Emerson wrote:
> Hello All,
>
> Currently domain mode is unable to execute when the JVM has FIPS enabled. See [1] for
example config files and the resulting stacktrace.
>
> I am looking into this issue (SET engineer), however my current knowledge of core and
FIPS is limited. What are your thoughts on how to implement FIPS compatibility? Is there
any fundamental reasons why such a feature shouldn't be supported?
>
> [1] https://issues.jboss.org/browse/WFCORE-1135
>
> Thanks
> Ryan
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>