[jboss-jira] [JBoss JIRA] (ELY-1648) FIPS NoSuchAlgorithmException: JKS KeyStore not available when trustmanager SunX509

Martin Choma (JIRA) issues at jboss.org
Fri Sep 14 02:41:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13633324#comment-13633324 ] 

Martin Choma commented on ELY-1648:
-----------------------------------

[~jucook], we have documentation how to configure java in FIPS mode using PKCS11 [1]. Please follow these steps. However, last time when someone (I think it was Farah) was following the instructions she wasn't able to make it work. If it will be also your case please fill a documentation JIRA. I think it will be something with NSS default format change to sql.

[1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/how_to_configure_server_security/#configure_ssl_fips_nss_database

> FIPS NoSuchAlgorithmException: JKS KeyStore not available when trustmanager SunX509
> -----------------------------------------------------------------------------------
>
>                 Key: ELY-1648
>                 URL: https://issues.jboss.org/browse/ELY-1648
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.5.5.Final
>            Reporter: Martin Choma
>            Assignee: Justin Cook
>         Attachments: java.security
>
>
> With SunX509 truststore algorithm I can succesfully connect with CLI.
> {code}
> <configuration>
>     <authentication-client xmlns="urn:elytron:client:1.1">
>         <key-stores>
>             <key-store name="truststore" type="PKCS11">
>                 <key-store-clear-password password="${password}" />
>             </key-store>
>         </key-stores>
>         <ssl-contexts>
>             <ssl-context name="client-cli-context">
>                 <trust-manager algorithm="SunX509" />
>                 <trust-store key-store-name="truststore" />
>                 <cipher-suite selector="${cipher.suite.filter}" />
>                 <protocol names="${protocol}" />
>             </ssl-context>
>         </ssl-contexts>
>         <ssl-context-rules>
>             <rule use-ssl-context="client-cli-context" />
>         </ssl-context-rules>
>     </authentication-client>
> </configuration>
> {code}
> But there is a exception in log
> {code}
> 13:58:27,652 INFO  [com.redhat.eap.qe.cli.CustomCLIExecutor] (main) java.security.KeyStoreException: JKS not found
> 	at java.security.KeyStore.getInstance(KeyStore.java:851)
> 	at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:59)
> 	at sun.security.util.AnchorCertificates$1.run(AnchorCertificates.java:52)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.security.util.AnchorCertificates.<clinit>(AnchorCertificates.java:52)
> 	at sun.security.provider.certpath.AlgorithmChecker.checkFingerprint(AlgorithmChecker.java:214)
> 	at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:164)
> 	at sun.security.provider.certpath.AlgorithmChecker.<init>(AlgorithmChecker.java:118)
> 	at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:157)
> 	at sun.security.validator.Validator.validate(Validator.java:260)
> 	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> 	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
> 	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
> 	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
> 	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
> 	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
> 	at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
> 	at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
> 	at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)
> 	at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:314)
> 	at org.xnio.ssl.JsseSslConduitEngine.wrap(JsseSslConduitEngine.java:204)
> 	at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:98)
> 	at org.xnio.ssl.JsseSslStreamSinkConduit.write(JsseSslStreamSinkConduit.java:72)
> 	at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:150)
> 	at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:385)
> 	at org.xnio.http.HttpUpgrade$HttpUpgradeState$StringWriteListener.handleEvent(HttpUpgrade.java:372)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.conduits.WriteReadyHandler$ChannelListenerHandler.writeReady(WriteReadyHandler.java:65)
> 	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:94)
> 	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
> Caused by: java.security.NoSuchAlgorithmException: JKS KeyStore not available
> 	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> 	at java.security.Security.getImpl(Security.java:695)
> 	at java.security.KeyStore.getInstance(KeyStore.java:848)
> 	... 31 more
> {code}
> When I change SunX509 to PKIX exception does not occure anymore.
> Seems exception is thrown by code https://github.com/JetBrains/jdk8u_jdk/blob/master/src/share/classes/sun/security/util/AnchorCertificates.java#L59



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list