[jboss-jira] [JBoss JIRA] (ELY-1622) BC FIPS with CLI: SunX509 KeyManagerFactory not available

Farah Juma (JIRA) issues at jboss.org
Thu Sep 6 15:14:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13630135#comment-13630135 ] 

Farah Juma edited comment on ELY-1622 at 9/6/18 3:13 PM:
---------------------------------------------------------

[~mchoma] What steps did you use? I was just able to successfully use a {{security-property}} to set {{ssl.KeyManagerFactory.algorithm}} to {{"X509"}} without needing to update the {{java.security}} file. To test it, I removed the {{algorithm="X509"}} parameter from my {{key-manager}} configuration in the Elytron subsystem, verified that I got a {{"java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available"}}, then added in the {{security-property}} and verified that the {{KeyManager}} was successfully created. Note that the {{security-property}} won't affect the creation of the client {{SSLContext}} that's configured in the wildfly-config.xml file.


was (Author: fjuma):
[~mchoma] What steps did you use? I was just able to successfully use a {{security-property}} to set {{ssl.KeyManagerFactory.algorithm}} to {{"X509"}} without needing to update the {{java.security}} file. To test it, I removed the {{algorithm="X509"}} parameter from my {{key-manager}} configuration in the Elytron subsystem, verified that I got a {{"java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available"}}, then added in the {{security-property}} and verified that the {{KeyManager}} was successfully created. 

> BC FIPS with CLI: SunX509 KeyManagerFactory not available
> ---------------------------------------------------------
>
>                 Key: ELY-1622
>                 URL: https://issues.jboss.org/browse/ELY-1622
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.5.1.Final
>            Reporter: Martin Choma
>            Assignee: Farah Juma
>            Priority: Blocker
>             Fix For: 1.5.2.Final
>
>         Attachments: cli-test-wildfly-config.xml, jboss-cli.log, truststore.bcfks
>
>
> I am trying to connect from jboss-cli.sh to EAP server. To reproduce the problem it is enough BC FIPS is used only on client side.
> {code:java|titlejboss-cli.log}
> 11:50:25,147 ERROR [org.jboss.as.cli.impl.CliLauncher] Error processing CLI: org.jboss.as.cli.CliInitializationException: Failed to connect to the controller
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:330)
>         at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:291)
>         at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:45)
>         at org.jboss.modules.Module.run(Module.java:352)
>         at org.jboss.modules.Module.run(Module.java:320)
>         at org.jboss.modules.Main.main(Main.java:593)
> Caused by: org.jboss.as.cli.CommandLineException: Failed to resolve host 'localhost'
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1256)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1203)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1198)
>         at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:328)
>         ... 5 more
> Caused by: java.io.IOException: Failed to obtain SSLContext
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:156)
>         at org.jboss.as.cli.impl.ModelControllerClientFactory$2.getClient(ModelControllerClientFactory.java:85)
>         at org.jboss.as.cli.impl.CommandContextImpl.connectController(CommandContextImpl.java:1222)
>         ... 8 more
> Caused by: java.security.KeyManagementException: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:589)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.engineInit(ProvSSLContextSpi.java:531)
>         at javax.net.ssl.SSLContext.init(SSLContext.java:282)
>         at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:372)
>         at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:221)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.getSSLContext(AuthenticationContextConfigurationClient.java:208)
>         at org.jboss.as.cli.impl.CLIModelControllerClient.<init>(CLIModelControllerClient.java:153)
>         ... 10 more
> Caused by: java.security.NoSuchAlgorithmException: SunX509 KeyManagerFactory not available
>         at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
>         at javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:137)
>         at org.bouncycastle.jsse.provider.ProvSSLContextSpi.selectKeyManager(ProvSSLContextSpi.java:583)
>         ... 17 more
> {code}
> When I use non-FIPS java with CLI I can make it work. It does occure also when connecting to default unsecured port 9990.
> When I use BCFKS truststore on server side, e.g. in 2-way http communication it works.
> I believe problem is I cant configure algorithm for keymanager on client side in wildfly-config.xml. (At least I don't see how could I do so).
> BC provider does not know SunX509 arlgorithm, rather X509, X.509 or PKIX could be used.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list