[jboss-jira] [JBoss JIRA] (WFCORE-644) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores

Kabir Khan (JIRA) issues at jboss.org
Wed Feb 15 09:36:11 EST 2017 

     [ https://issues.jboss.org/browse/WFCORE-644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kabir Khan updated WFCORE-644:
------------------------------
    Fix Version/s: 3.0.0.Beta3
                       (was: 3.0.0.Beta2)


> jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores
> -----------------------------------------------------------------------------------
>
>                 Key: WFCORE-644
>                 URL: https://issues.jboss.org/browse/WFCORE-644
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: CLI
>            Reporter: Derek Horton
>            Assignee: Darran Lofthouse
>            Priority: Critical
>             Fix For: 3.0.0.Beta3
>
>
> The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores.  Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file.
> This is problematic when the JVM is running in FIPS mode.
> The cli throws the following exception on startup:
> $ ./bin/jboss-cli.sh 
> org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
>         at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
>         at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
>         at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at org.jboss.modules.Module.run(Module.java:312)
>         at org.jboss.modules.Main.main(Main.java:460)
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
>         at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
>         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:283)
>         at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
>         ... 11 more
> It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"                                                                          
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"  



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list