Hide Forgot
Description of problem: The remotingjmx client fails to work when the JVM is running in FIPS mode. There doesn't appear to be a way to configure the keystore and truststore. As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace: java.io.IOException: Failed to configure SSL at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321) at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349) at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230) at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151) at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102) at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58) at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70) at javax.servlet.GenericServlet.init(GenericServlet.java:242) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802) at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163) at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61) at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:122) at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349) at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230) at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151) at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102) at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58) at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70) at javax.servlet.GenericServlet.init(GenericServlet.java:242) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802) at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163) at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61) at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:122) Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) at java.security.Provider$Service.newInstance(Provider.java:1617) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87) at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66) at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73) at org.xnio.Xnio.getSslProvider(Xnio.java:209) at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207) at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312) ... 23 more Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874) at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at java.security.Provider$Service.newInstance(Provider.java:1595) ... 33 more Reproducer notes: 1) Configure the JVM in FIPS mode 2) Create a remote JMX connection within a deployed application: private void testRemoteJMX() { try { java.util.HashMap environment = new java.util.HashMap(); environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx"); JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999"); JMXConnector jmxc = JMXConnectorFactory.connect(url, environment); } catch( Exception e ) { System.out.println("*** Error:"+e.getMessage()); e.printStackTrace(); } }
Workaround: JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword" This will expose the keystore password in the process listing. Use the vault system to hide the keystore password.