Bug 1212634
| Summary: | [GSS] (6.4.z) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Derek Horton <dehort> |
| Component: | CLI | Assignee: | Peter Palaga <ppalaga> |
| Status: | CLOSED WONTFIX | QA Contact: | Petr Kremensky <pkremens> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4.1 | CC: | brian.stansberry, cdewolf, jcacek, msochure, ppalaga, rnetuka |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-24 10:06:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is feature request which in upstream will be fixed be Elytron. Therefore no development will be done for 6.4 version. Closing as WONTFIX with the following justification: As stated in https://issues.jboss.org/browse/WFCORE-644?focusedCommentId=13298010&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13298010 , this kind of scenario will be supported by the new Elytron security subsystem in some later version of EAP. For EAP 6.4, there is a workaround using System properties via JAVA_OPTS in jboss-cli.sh: JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=z4ePr85k" JAVA_TOOL_OPTIONS environment variable can be used for keyStorePassword so that it does not appear in the output of ps -ef |
The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores. Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file. This is problematic when the JVM is running in FIPS mode. The cli throws the following exception on startup: $ ./bin/jboss-cli.sh org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541) at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291) at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76) at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294) at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277) at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.modules.Module.run(Module.java:312) at org.jboss.modules.Main.main(Main.java:460) Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126) at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89) at javax.net.ssl.SSLContext.init(SSLContext.java:283) at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537) ... 11 more It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file: JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"