Bug 1335299 - [GSS] (6.4.z) remotingjmx client fails to work when the JVM is running in FIPS mode
Summary: [GSS] (6.4.z) remotingjmx client fails to work when the JVM is running in FIP...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Remoting
Version: 6.4.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Jiri Ondrusek
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-11 20:02 UTC by dhorton
Modified: 2021-12-02 02:52 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:47:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-4587 0 Major Pull Request Sent [GSS](7.0.z) remotingjmx client fails to work when the JVM is running in FIPS mode 2020-04-30 08:32:03 UTC
Red Hat Issue Tracker WFLY-8758 0 Blocker Resolved Elytron, JMX client fails to work when the JVM is running in FIPS mode 2020-04-30 08:32:03 UTC

Description dhorton 2016-05-11 20:02:23 UTC
Description of problem:

The remotingjmx client fails to work when the JVM is running in FIPS mode.  There doesn't appear to be a way to configure the keystore and truststore.  As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:

 java.io.IOException: Failed to configure SSL
   at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
   at ...asynchronous invocation...(Unknown Source)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
 Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
   at java.security.Provider$Service.newInstance(Provider.java:1617)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
   at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
   at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
   at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
   at org.xnio.Xnio.getSslProvider(Xnio.java:209)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   ... 23 more
 Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
   at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
   at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
   at java.security.Provider$Service.newInstance(Provider.java:1595)
   ... 33 more


Reproducer notes:

1) Configure the JVM in FIPS mode

2) Create a remote JMX connection within a deployed application:

   private void testRemoteJMX() {
     try {
       java.util.HashMap environment = new java.util.HashMap();
       environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx");
       JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999");
       JMXConnector jmxc = JMXConnectorFactory.connect(url, environment);
     } catch( Exception e ) {
       System.out.println("*** Error:"+e.getMessage());
       e.printStackTrace();
     }
   }

Comment 1 dhorton 2016-05-12 17:36:52 UTC
Workaround:

  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"


This will expose the keystore password in the process listing.  Use the vault system to hide the keystore password.


Note You need to log in before you can comment on or make changes to this bug.