[jboss-jira] [JBoss JIRA] (WFCORE-4051) KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
Martin Choma (JIRA)
issues at jboss.org
Tue Aug 21 09:38:01 EDT 2018
[ https://issues.jboss.org/browse/WFCORE-4051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13622086#comment-13622086 ]
Martin Choma commented on WFCORE-4051:
--------------------------------------
[~chuffman] this effectively mean in FIPS mode reload truststore operation won't work. I think we should document that restriction. I think there is already general section about fips that advanced scenarios are not supported in FIPS mode. We should probably name this one explicitly.
> KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> -------------------------------------------------------------------------
>
> Key: WFCORE-4051
> URL: https://issues.jboss.org/browse/WFCORE-4051
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 6.0.0.CR2
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 6.0.0.CR3
>
>
> Creating 2-way SSL Context fails with error.
> {code}
> 12:04:28,689 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.ssl-context-client-cert: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.ssl-context-client-cert: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:982)
> at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
> at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
> at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:115)
> at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:78)
> at javax.net.ssl.SSLContext.init(SSLContext.java:282)
> at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
> at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:980)
> ... 9 more
> 12:04:28,690 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("server-ssl-context" => "ssl-context-client-cert")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.ssl-context-client-cert" => "java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used"}}
> {code}
> Seems DelegatingTrustManager is created always.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list