[jboss-jira] [JBoss JIRA] (WFCORE-3034) CLI with PKCS11 keystore cannot connect to server and throws java.security.KeyManagementException

Darran Lofthouse (JIRA) issues at jboss.org
Thu Jun 29 15:03:01 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-3034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse moved JBEAP-11885 to WFCORE-3034:
--------------------------------------------------

              Project: WildFly Core  (was: JBoss Enterprise Application Platform)
                  Key: WFCORE-3034  (was: JBEAP-11885)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: Security)
    Affects Version/s:     (was: 7.1.0.ER1)


> CLI with PKCS11 keystore cannot connect to server and throws java.security.KeyManagementException
> -------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-3034
>                 URL: https://issues.jboss.org/browse/WFCORE-3034
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>              Labels: eap7.1-rfe-failure
>             Fix For: 3.0.0.Beta28
>
>
> When trying to connect with CLI to server using PKCS11 (and FIPS):
> * CLI can connect with the old workaround described in 7.0 documentation
> {code}
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
> JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
> {code}
> * When providing -Dwildfly.config.url, no matter what's in the path (even if it's non-existent file), CLI throws following error:
> {code}
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used: FIPS mode: only SunJSSE TrustManagers may be used
> {code}
> * If I set up BOTH the JAVA_OPTS and wildfly-config.xml, the config is parsed properly (throwing errors in case of wrong path, malformed xml etc.) and CLI connects successfully.
> I'm marking it as a blocker now, since this is basically the functionality required by EAP7-610. But the old workaround still works just fine, so I think this isn't high priority if we're ok to postpone the RFE.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list