[jboss-jira] [JBoss JIRA] (REMJMX-144) Elytron, JMX client fails to work when the JVM is running in FIPS mode
Darran Lofthouse (JIRA)
issues at jboss.org
Fri Jun 2 12:33:00 EDT 2017
Darran Lofthouse created REMJMX-144:
---------------------------------------
Summary: Elytron, JMX client fails to work when the JVM is running in FIPS mode
Key: REMJMX-144
URL: https://issues.jboss.org/browse/REMJMX-144
Project: Remoting JMX
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Blocker
Fix For: 3.0.0.Beta5
The JMX client fails to work when the JVM is running in FIPS mode.
There should be possible to configure client ssl context with Elytron. However doing so, still javax.net.ssl.SSLContext.getDefault() is called which fails with the following stacktrace:
{code:title=server.log}
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Completed open of endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 1 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote': Remoting remote connection provider 42a0d0b7 for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 2 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+tls)
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+tls': Remoting remote connection provider 7dc22d9b for endpoint "endpoint" <67ce59be>
10:55:00,762 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 3 of endpoint "endpoint" <67ce59be> (opened Connection provider for remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remoting': Remoting remote connection provider 194d9579 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 4 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+http)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+http': Remoting remote connection provider 21f0cb0a for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 5 of endpoint "endpoint" <67ce59be> (opened Connection provider for remote+https)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'remote+https': Remoting remote connection provider 27b862 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 6 of endpoint "endpoint" <67ce59be> (opened Connection provider for http-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'http-remoting': Remoting remote connection provider 422cda30 for endpoint "endpoint" <67ce59be>
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Allocated tick to 7 of endpoint "endpoint" <67ce59be> (opened Connection provider for https-remoting)
10:55:00,763 TRACE [org.jboss.remoting.endpoint] (default task-1) Adding connection provider registration named 'https-remoting': Remoting remote connection provider 55cb3d77 for endpoint "endpoint" <67ce59be>
10:55:00,764 WARN [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,764 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,764 WARN [org.jboss.remotingjmx.Util] (default task-1) The protocol 'remoting-jmx' is deprecated, instead you should use 'remote'.
10:55:00,765 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://localhost:9999, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost,set-port=9999]
10:55:00,772 INFO [stdout] (default task-1) *** Error:JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) java.io.IOException: JBREM000212: Failed to configure SSL context
10:55:00,773 ERROR [stderr] (default task-1) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497)
10:55:00,773 ERROR [stderr] (default task-1) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:487)
10:55:00,773 ERROR [stderr] (default task-1) at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:241)
10:55:00,773 ERROR [stderr] (default task-1) at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:158)
10:55:00,773 ERROR [stderr] (default task-1) at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:105)
10:55:00,773 ERROR [stderr] (default task-1) at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
10:55:00,773 ERROR [stderr] (default task-1) at com.redhat.eap.qe.fips.standalone.elytron.client.jmx.JmxClientServlet.doGet(JmxClientServlet.java:33)
10:55:00,773 ERROR [stderr] (default task-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
10:55:00,773 ERROR [stderr] (default task-1) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
10:55:00,773 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
10:55:00,774 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,774 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
10:55:00,775 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
10:55:00,776 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
10:55:00,776 ERROR [stderr] (default task-1) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
10:55:00,776 ERROR [stderr] (default task-1) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
10:55:00,776 ERROR [stderr] (default task-1) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
10:55:00,776 ERROR [stderr] (default task-1) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
10:55:00,776 ERROR [stderr] (default task-1) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
10:55:00,776 ERROR [stderr] (default task-1) at java.lang.Thread.run(Thread.java:745)
10:55:00,776 ERROR [stderr] (default task-1) Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
10:55:00,776 ERROR [stderr] (default task-1) at java.security.Provider$Service.newInstance(Provider.java:1617)
10:55:00,776 ERROR [stderr] (default task-1) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
10:55:00,776 ERROR [stderr] (default task-1) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
10:55:00,777 ERROR [stderr] (default task-1) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
10:55:00,777 ERROR [stderr] (default task-1) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
10:55:00,777 ERROR [stderr] (default task-1) at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:183)
10:55:00,777 ERROR [stderr] (default task-1) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:495)
10:55:00,777 ERROR [stderr] (default task-1) ... 46 more
10:55:00,777 ERROR [stderr] (default task-1) Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-testPkcs
10:55:00,777 ERROR [stderr] (default task-1) at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
10:55:00,777 ERROR [stderr] (default task-1) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
10:55:00,777 ERROR [stderr] (default task-1) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
10:55:00,777 ERROR [stderr] (default task-1) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
10:55:00,777 ERROR [stderr] (default task-1) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
10:55:00,777 ERROR [stderr] (default task-1) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
10:55:00,778 ERROR [stderr] (default task-1) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
10:55:00,778 ERROR [stderr] (default task-1) at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
10:55:00,778 ERROR [stderr] (default task-1) at java.security.Provider$Service.newInstance(Provider.java:1595)
10:55:00,778 ERROR [stderr] (default task-1) ... 52 more
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list