[jboss-jira] [JBoss JIRA] (ELY-1639) FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used

Martin Choma (JIRA) issues at jboss.org
Mon Aug 13 08:43:00 EDT 2018 

Martin Choma created ELY-1639:
---------------------------------

             Summary: FIPS PKCS11 Client side: only SunJSSE KeyManagers may be used
                 Key: ELY-1639
                 URL: https://issues.jboss.org/browse/ELY-1639
             Project: WildFly Elytron
          Issue Type: Bug
          Components: SSL
            Reporter: Martin Choma
            Priority: Blocker


Fix of ELY-1622 introduced regression. It is not possible to do 1 way ssl (no key-store-ssl-certificate in wildfly-config.xml) with exception 

{code}
14:13:56,143 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
        at org.jboss.modules.Module.run(Module.java:352)
        at org.jboss.modules.Module.run(Module.java:320)
        at org.jboss.modules.Main.main(Main.java:593)
Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
        ... 5 more
Caused by: java.io.IOException: Failed to obtain SSLContext
        at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
        at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
        at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
        ... 8 more
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
        at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:149)
        at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:66)
        at javax.net.ssl.SSLContext.init(SSLContext.java:282)
        at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
        at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
        at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
        at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
        at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
        ... 10 more
 {code}

It is because after fix Fix of ELY-1622 custom keymanager is used. But it is forbidden by jdk FIPS PKCS11.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list