Bug 1335299

Summary: [GSS] (6.4.z) remotingjmx client fails to work when the JVM is running in FIPS mode
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: RemotingAssignee: Jiri Ondrusek <jondruse>
Status: CLOSED EOL QA Contact: Pavel Slavicek <pslavice>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: david.lloyd, dhorton, jondruse, msochure
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:47:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dhorton 2016-05-11 20:02:23 UTC 
Description of problem:

The remotingjmx client fails to work when the JVM is running in FIPS mode.  There doesn't appear to be a way to configure the keystore and truststore.  As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:

 java.io.IOException: Failed to configure SSL
   at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
   at ...asynchronous invocation...(Unknown Source)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
 Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
   at java.security.Provider$Service.newInstance(Provider.java:1617)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
   at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
   at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
   at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
   at org.xnio.Xnio.getSslProvider(Xnio.java:209)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   ... 23 more
 Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
   at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
   at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
   at java.security.Provider$Service.newInstance(Provider.java:1595)
   ... 33 more


Reproducer notes:

1) Configure the JVM in FIPS mode

2) Create a remote JMX connection within a deployed application:

   private void testRemoteJMX() {
     try {
       java.util.HashMap environment = new java.util.HashMap();
       environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx");
       JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999");
       JMXConnector jmxc = JMXConnectorFactory.connect(url, environment);
     } catch( Exception e ) {
       System.out.println("*** Error:"+e.getMessage());
       e.printStackTrace();
     }
   }
Comment 1 dhorton 2016-05-12 17:36:52 UTC 
Workaround:

  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"


This will expose the keystore password in the process listing.  Use the vault system to hide the keystore password.