[jboss-jira] [JBoss JIRA] (WFCORE-1135) Unable to start Wildfly when FIPS is enabled in Domain Mode

Darran Lofthouse (JIRA) issues at jboss.org
Fri Jan 15 07:54:00 EST 2016 

    [ https://issues.jboss.org/browse/WFCORE-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149332#comment-13149332 ] 

Darran Lofthouse commented on WFCORE-1135:
------------------------------------------

A server which is connecting back to it's HostController can be configured to use it's JVM wide default SSLContext by executing the following command: -

{noformat}
./host=master/server-config=server-one/ssl=loopback:add(ssl-protocol=Default)
{noformat}

Alternatively a custom SSL configuration can be provided: -

{noformat}
./host=master/server-config=server-three/ssl=loopback:add(ssl-protocol=TLS, trust-manager-algorithm=SunX509, truststore-type=JKS, truststore-path=/home/darranl/src/wildfly9/cli-scripts/management-ssl/client.keystore, truststore-password=keystore_password)
{noformat}

Note:  With the exception of 'ssl-protocol' defaults are not represented in the management model as the JVM specific default values are used for 'trust-manager-algorithm' and 'truststore-type'.

> Unable to start Wildfly when FIPS is enabled in Domain Mode
> -----------------------------------------------------------
>
>                 Key: WFCORE-1135
>                 URL: https://issues.jboss.org/browse/WFCORE-1135
>             Project: WildFly Core
>          Issue Type: Feature Request
>          Components: Domain Management, Security
>    Affects Versions: 2.0.1.Final
>            Reporter: Ryan Emerson
>            Assignee: Darran Lofthouse
>             Fix For: 2.0.8.Final
>
>
> Allow FIPS use in Domain mode. This requires additional logic to standalone, due to the connections between controllers and servers. 
> Resulting stacktrace when attempting to run domain mode with FIPS enabled at the JVM:
> 15:47:39,410 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.host.controller.client: org.jboss.msc.service.StartException in service jboss.host.controller.client: java.io.IOException: WFLYSRV0117: Unable to initialise a basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used' 
> [Server:server-one] at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:133) 
> [Server:server-one] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) 
> [Server:server-one] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) 
> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
> [Server:server-one] at java.lang.Thread.run(Thread.java:745) 
> [Server:server-one] Caused by: java.io.IOException: WFLYSRV0117: Unable to initialise a basic SSLContext 'FIPS mode: only SunJSSE TrustManagers may be used' 
> [Server:server-one] at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.getAcceptingSSLContext(HostControllerConnectionService.java:212)
> [Server:server-one] at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:108) 
> [Server:server-one] ... 5 more 



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list