[jboss-jira] [JBoss JIRA] (ELY-1646) FIPS PKCS11 breaks after migrating from client scheme 1.0 to 1.1

Martin Choma (JIRA) issues at jboss.org
Fri Aug 17 05:54:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13620496#comment-13620496 ] 

Martin Choma commented on ELY-1646:
-----------------------------------

Adding <trust-manager algorithm="SunX509"> does not help

{code}
<configuration>
    <authentication-client xmlns="urn:elytron:1.1">
        <key-stores>
            <key-store name="truststore" type="PKCS11">
                <key-store-clear-password password="${password}" />
            </key-store>
        </key-stores>
        <ssl-contexts>
            <ssl-context name="client-cli-context">
                <trust-manager algorithm="SunX509" />
                <trust-store key-store-name="truststore" />
                <cipher-suite selector="${cipher.suite.filter}" />
                <protocol names="${protocol}" />
            </ssl-context>
        </ssl-contexts>
        <ssl-context-rules>
            <rule use-ssl-context="client-cli-context" />
        </ssl-context-rules>
    </authentication-client>
</configuration>
{code}

> FIPS PKCS11 breaks after migrating from client scheme 1.0 to 1.1 
> -----------------------------------------------------------------
>
>                 Key: ELY-1646
>                 URL: https://issues.jboss.org/browse/ELY-1646
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Client
>    Affects Versions: 1.5.5.Final
>            Reporter: Martin Choma
>            Priority: Blocker
>         Attachments: jboss-cli.log-elytron-client-1-1, jboss-cli.log.elytron-client-1-0
>
>
> I have working configuration
> {code}
> <configuration>
>     <authentication-client xmlns="urn:elytron:1.0">
>         <key-stores>
>             <key-store name="truststore" type="PKCS11">
>                 <key-store-clear-password password="${password}" />
>             </key-store>
>         </key-stores>
>         <ssl-contexts>
>             <ssl-context name="client-cli-context">
>                 <trust-store key-store-name="truststore" />
>                 <cipher-suite selector="${cipher.suite.filter}" />
>                 <protocol names="${protocol}" />
>             </ssl-context>
>         </ssl-contexts>
>         <ssl-context-rules>
>             <rule use-ssl-context="client-cli-context" />
>         </ssl-context-rules>
>     </authentication-client>
> </configuration>
> {code}
> After migrating to urn:elytron:1.1 error occurs.
> {code}
> 10:44:07,823 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
>         at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:115)
>         at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:78)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.jboss.as.cli.impl.CommandContextImpl.createSslContext(CommandContextImpl.java:715)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
> {code}



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list