Bug 1212634 - [GSS] (6.4.z) jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores
Summary: [GSS] (6.4.z) jboss-cli needs to support using PKCS11 (including FIPS mode) k...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: CLI
Version: 6.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Peter Palaga
QA Contact: Petr Kremensky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-16 21:09 UTC by Derek Horton
Modified: 2019-10-10 09:45 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-11-24 10:06:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFCORE-644 0 Critical Resolved jboss-cli needs to support using PKCS11 (including FIPS mode) keystores/truststores 2017-06-22 08:27:32 UTC

Description Derek Horton 2015-04-16 21:09:33 UTC 
The cli's SSL configuration should be expanded to support using PKCS11 keystores/truststores.  Currently it does not appear to be possible to configure the keystore/truststore type in the jboss-cli.xml file.

This is problematic when the JVM is running in FIPS mode.

The cli throws the following exception on startup:

$ ./bin/jboss-cli.sh 
org.jboss.as.cli.CliInitializationException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
        at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:541)
        at org.jboss.as.cli.impl.CommandContextImpl.<init>(CommandContextImpl.java:291)
        at org.jboss.as.cli.impl.CommandContextFactoryImpl.newCommandContext(CommandContextFactoryImpl.java:76)
        at org.jboss.as.cli.impl.CliLauncher.initCommandContext(CliLauncher.java:294)
        at org.jboss.as.cli.impl.CliLauncher.main(CliLauncher.java:277)
        at org.jboss.as.cli.CommandLineMain.main(CommandLineMain.java:34)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.jboss.modules.Module.run(Module.java:312)
        at org.jboss.modules.Main.main(Main.java:460)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
        at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:126)
        at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89)
        at javax.net.ssl.SSLContext.init(SSLContext.java:283)
        at org.jboss.as.cli.impl.CommandContextImpl.initSSLContext(CommandContextImpl.java:537)
        ... 11 more


It is possible to workaround the issue by setting the javax.net.ssl.keyStore / javax.net.ssl.trustStore system properties in the bin/jboss-cli.sh file:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"                                                                          
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"
Comment 3 Vlado Pakan 2016-06-16 08:16:16 UTC 
This is feature request which in upstream will be fixed be Elytron. Therefore no development will be done for 6.4 version.
Comment 4 Peter Palaga 2016-11-24 10:06:39 UTC 
Closing as WONTFIX with the following justification:

As stated in https://issues.jboss.org/browse/WFCORE-644?focusedCommentId=13298010&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13298010 , this kind of scenario will be supported by the new Elytron security subsystem in some later version of EAP. 

For EAP 6.4, there is a workaround using System properties via JAVA_OPTS in jboss-cli.sh:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=z4ePr85k"

JAVA_TOOL_OPTIONS environment variable can be used for keyStorePassword so that it does not appear in the output of ps -ef
Note You need to log in before you can comment on or make changes to this bug.