[wildfly-dev] Supporting FIPS in domain mode

Darran Lofthouse darran.lofthouse at jboss.com
Thu Nov 19 11:07:44 EST 2015

On 19/11/15 15:50, Brian Stansberry wrote:
> Darran's the expert on this, but my initial naive question is whether
> this can be split into two logical use cases:
> 1) Where we know TLS is not going to be used on the HC<->server connection.
> 2) Where we don't know that.
> I ask because if case 2 is harder or requires changes that don't belong
> in a micro release (e.g. management model changes) perhaps we can first
> deal with case 1. My impression from the initial bug report is that
> SSL/TLS was not configured on the host's management interfaces.

To get to the error in the bug report the underlying user has taken 
these two steps: -
  1 - Configure the JVM to be FIPS Compliant.
  2 - Start a default domain configuration.

They have experienced the error and reported it to us.

I would be very surprised if they were not planning to subsequently 
enable TLS for the remote communication with the HostController.

I suppose at a push master may have no application server instances but 
have TLS enable for remote communication and the individual slave host 
controllers only bind management to loopback so don't enable TLS.

> On 11/19/15 4:25 AM, Ryan Emerson wrote:
>> Hello All,
>> Currently domain mode is unable to execute when the JVM has FIPS enabled. See [1] for example config files and the resulting stacktrace.
>> I am looking into this issue (SET engineer), however my current knowledge of core and FIPS is limited.  What are your thoughts on how to implement FIPS compatibility? Is there any fundamental reasons why such a feature shouldn't be supported?
>> [1] https://issues.jboss.org/browse/WFCORE-1135
>> Thanks
>> Ryan
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev

More information about the wildfly-dev mailing list