Bug 2156945

Summary: Enable XML Signature provider in FIPS mode [rhel-8, openjdk-17]
Product: Red Hat Enterprise Linux 8 Reporter: Francisco Ferrari Bihurriet <fferrari>
Component: java-17-openjdkAssignee: Francisco Ferrari Bihurriet <fferrari>
Status: CLOSED CURRENTRELEASE QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.8CC: ahughes, jvanek, sgehwolf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 8.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.7.0.7-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2186826 2186827 2186828 2186829 (view as bug list) Environment:
Last Closed: 2023-06-26 15:01:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1995150, 2023467, 2052070, 2092507, 2094027, 2134669    
Bug Blocks: 2186826, 2186827, 2186828, 2186829    

Description Francisco Ferrari Bihurriet 2022-12-29 19:50:25 UTC 
This bug was initially created as a copy of Bug #1940064

I am copying this bug because: we need to fix this in OpenJDK 17 too.


When OpenJDK is configured in FIPS mode, the XML Signature provider is currently disabled, and the keystore type must be PKCS11 (/etc/pki/nssdb is used, in read-only mode).

This is not compatible with some 3rd party applications. 

For example, it leads to the following error running Jenkins on RHEL in FIPs mode:

java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS