Oracle JDK8 has some issues, which prevents using EAP 6.x in FIPS 140-2 compliant mode. Look at JDK known issues page for more details: http://www.oracle.com/technetwork/java/javase/8-known-issues-2157115.html Namely sections: Area: Security Libs / javax.crypto / Solaris Area: Security Libs / javax.net.ssl Workaround which worked for us: - disable TLS 1.2 on both server and client side
From JDK release notes: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8036970 Synopsis When using RSA client key exchange in SSL/TLS protocols, SunJSSE provider cannot work in FIPS 140 compliant mode. This issue does not impact the default mode of SunJSSE. A straightforward workaround is to disable FIPS mode of SunJSSE provider. For more information see, FIPS 140 Compliant Mode for SunJSSE. An alternative workaround is to disable the use of RSA key exchange in SSL/TLS protocols. This issue only happens to RSA key exchange based SSL/TLS cipher suites. To workaround this issue, applications can use DHE/ECDHE cipher suites instead (for example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, etc.). See JSSE Reference Guide for information about customizing SSL/TLS cipher suites.
My understanding of the issue is that it a JDK bug with known workaround and as such will need to fall into known-issues category.
Dominik, could you write a doc proposal for the known issue?
Please document as a known issue for 6.4 release.