[jboss-jira] [JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure
Martin Choma (JIRA)
issues at jboss.org
Wed Mar 7 03:38:00 EST 2018
Martin Choma created WFLY-9969:
----------------------------------
Summary: JDK9 + FIPS BC, unable to configure
Key: WFLY-9969
URL: https://issues.jboss.org/browse/WFLY-9969
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 12.0.0.Final
Reporter: Martin Choma
Assignee: Darran Lofthouse
* Configure BouncyCastleFipsProvider in java
{code:title=${jdk9_home}/conf/security/java.security}
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE BCFIPS
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL
security.provider.13=SunPKCS11
{code}
* configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-3FD26072-6982-4DCE-932C-DE152C463992. It means in ${jboss_home}/bin/standalone.conf put -cp option with bcfips jar
{{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
* Configure additional logging
{code}
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
/subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
{code}
* Run CLI command
{{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference={clear-text=password})}}
* For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
{code}
=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
JAVA_OPTS: -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
=========================================================================
...
09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
... 8 more
{code}
With same java I can run succesfully this java code
{code:java|title=TestBCLoaded.java}
import java.security.*;
public class TestBCLoaded {
public static void main(String[] args) {
Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
if (p==null){
System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
}
p = Security.getProvider("BouncyCastleFipsProvider");
if (p==null){
System.out.println("Not Loaded: BouncyCastleFipsProvider");
}
p = Security.getProvider("BCFIPS");
if (p==null){
System.out.println("Not Loaded: BCFIPS");
} else {
System.out.println("Provider name is " + p.getName());
System.out.println("Provider version # is " + p.getVersion());
System.out.println("Provider info is " + p.getInfo());
}
}
}
{code}
{{[mchoma at localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded
Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Not Loaded: BouncyCastleFipsProvider
Provider name is BCFIPS
Provider version # is 0.9
Provider info is BouncyCastle Security Provider (FIPS edition) v0.90}}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list