[jboss-jira] [JBoss JIRA] (WFLY-9969) JDK9 + FIPS BC, unable to configure

Rich Lucente (JIRA) issues at jboss.org
Wed Mar 7 09:14:00 EST 2018 

    [ https://issues.jboss.org/browse/WFLY-9969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13542805#comment-13542805 ] 

Rich Lucente commented on WFLY-9969:
------------------------------------

Also, note that BCFIPS is certified for Java 7 and 8 per the [BCFIPS FAQ|https://www.bouncycastle.org/fips_faq.html#JAVA]:

Q2. What JVMs are the APIs currently certified for?
The current APIs are certified for Java 1.7 and Java 1.8.

Compatibility with Oracle Java 9 would be a re-certification effort for them.  Per [Oracle Java Support Roadmap|http://www.oracle.com/technetwork/java/eol-135779.html] Java 8 is supported until January 2019 with paid support going to December 2020 or later.  Java 9 and 10 (18.3) are interim releases with Java 11 (18.9) getting long term support.  We have many more options with OpenJDK, so also nudge users in that direction.

I'll reach out to [~bilge] to see if we've engaged with Bouncy Castle to nudge them toward Java 18.9 certification once it's available and to look at compatibility (though not certified) with Java 9 and 10 (18.3).

> JDK9 + FIPS BC, unable to configure
> -----------------------------------
>
>                 Key: WFLY-9969
>                 URL: https://issues.jboss.org/browse/WFLY-9969
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 12.0.0.Final
>            Reporter: Martin Choma
>
> * Configure BouncyCastleFipsProvider in java
> {code:title=$\{jdk9_home\}/conf/security/java.security}
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE BCFIPS
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> security.provider.13=SunPKCS11
> {code}
> * configure -cp of java process based on https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm#JSSEC-GUID-3FD26072-6982-4DCE-932C-DE152C463992. It means in $\{jboss_home\}/bin/standalone.conf put -cp option with bcfips jar
> {{JAVA_OPTS="-Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar"}}
> * Configure additional logging
> {code}
> /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
> /subsystem=logging/logger=org.wildfly.extension.elytron:add(level=ALL)
> {code}
> * Run CLI command usink BCFKS key store type
> {{/subsystem=elytron/key-store=bcfks_keystore:add(path=keystore.bcfks,relative-to=jboss.server.config.dir, type="BCFKS", credential-reference=\{clear-text=password\})}}
> * For some reason BouncyCastleFipsProvider is not listed among providers returned by Security.getProviders() and therefore BCFKS can't be resolved
> {code}
> =========================================================================
>   JBoss Bootstrap Environment
>   JBOSS_HOME: /home/mchoma/eap/7.2.0.EL12.CR1/jboss-eap-7.2
>   JAVA: /opt/java/jdk-9.0.1_bcfips/bin/java
>   JAVA_OPTS:  -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -cp /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=n
> =========================================================================
> ...
> 09:20:16,630 TRACE [org.wildfly.extension.elytron] (MSC service thread 1-3) No provider identified for name [null] and algorithm [BCFKS] between [SUN version 9, ApacheXMLDSig version 2.11, SunRsaSign version 9, SunEC version 9, SunJSSE version 9, SunJCE version 9, SunJGSS version 9, SunSASL version 9, XMLDSig version 9, SunPCSC version 9, JdkLDAP version 9, JdkSASL version 9, SunPKCS11 version 9, SunDeploy-MozillaJSS version 1.5, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
> 09:20:16,632 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.key-store.bcfks_keystore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.bcfks_keystore: WFLYELY00004: Unable to start the service.
> 	at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:148)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1714)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1693)
> 	at org.jboss.msc at 1.3.2.Final-redhat-1//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1540)
> 	at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 	at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 	at org.jboss.threads at 2.3.1.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 	at java.base/java.lang.Thread.run(Thread.java:844)
> Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYELY00012: No suitable provider found for type 'BCFKS'
> 	at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.resolveProvider(KeyStoreService.java:156)
> 	at org.wildfly.extension.elytron at 4.0.0.CR1-redhat-1-20180228//org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:110)
> 	... 8 more
> {code}
> * With same java I can run succesfully this java code
> {code:java|title=TestBCLoaded.java}
> import java.security.*;
> public class TestBCLoaded {
>     public static void main(String[] args) {
>         Provider p = Security.getProvider("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
>         if (p==null){
>                 System.out.println("Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider");
>         }
>         p = Security.getProvider("BouncyCastleFipsProvider");
>         if (p==null){
>                 System.out.println("Not Loaded: BouncyCastleFipsProvider");
>         }
>         p = Security.getProvider("BCFIPS");
>         if (p==null){
>                 System.out.println("Not Loaded: BCFIPS");
>         } else {
>            System.out.println("Provider name is " + p.getName());
>            System.out.println("Provider version # is " + p.getVersion());
>            System.out.println("Provider info is " + p.getInfo());
>         }
>     }
> }
> {code}
> {code}
> [mchoma at localhost jdk9Test]$ java -cp .:/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.0/bc-fips-1.0.0.jar TestBCLoaded 
> Not Loaded: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> Not Loaded: BouncyCastleFipsProvider
> Provider name is BCFIPS
> Provider version # is 0.9
> Provider info is BouncyCastle Security Provider (FIPS edition) v0.90
> {code}



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list