Bug 1335299 - [GSS] (6.4.z) remotingjmx client fails to work when the JVM is running in FIPS mode [NEEDINFO]
Summary: [GSS] (6.4.z) remotingjmx client fails to work when the JVM is running in FIP...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Remoting
Version: 6.4.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Jiri Ondrusek
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-11 20:02 UTC by dhorton
Modified: 2019-11-14 08:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:47:34 UTC
Type: Bug
vpakan: needinfo? (dhorton)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-4587 Major Pull Request Sent [GSS](7.0.z) remotingjmx client fails to work when the JVM is running in FIPS mode 2020-04-30 08:32:03 UTC
Red Hat Issue Tracker WFLY-8758 Blocker Resolved Elytron, JMX client fails to work when the JVM is running in FIPS mode 2020-04-30 08:32:03 UTC

Description dhorton 2016-05-11 20:02:23 UTC
Description of problem:

The remotingjmx client fails to work when the JVM is running in FIPS mode.  There doesn't appear to be a way to configure the keystore and truststore.  As a result, javax.net.ssl.SSLContext.getDefault() gets called which fails with the following stacktrace:

 java.io.IOException: Failed to configure SSL
   at org.jboss.remoting3.remote.RemoteConnectionProvider.sslConfigFailure(RemoteConnectionProvider.java:321)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:209)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
   at ...asynchronous invocation...(Unknown Source)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:286)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:267)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:365)
   at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
   at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:230)
   at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:151)
   at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:102)
   at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
   at jboss.example.servlet.HelloServlet.testRemoteJMHelloServlet.java:58)
   at jboss.example.servlet.HelloServlet.init(HelloServlet.java:70)
   at javax.servlet.GenericServlet.init(GenericServlet.java:242)
   at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1206)
   at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1112)
   at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3593)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:3802)
   at org.jboss.as.web.deployment.WebDeploymentService.doStart(WebDeploymentService.java:163)
   at org.jboss.as.web.deployment.WebDeploymentService.access$000(WebDeploymentService.java:61)
   at org.jboss.as.web.deployment.WebDeploymentService$1.run(WebDeploymentService.java:96)
   at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
   at java.util.concurrent.FutureTask.run(FutureTask.java:266)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
   at java.lang.Thread.run(Thread.java:745)
   at org.jboss.threads.JBossThread.run(JBossThread.java:122)
 Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
   at java.security.Provider$Service.newInstance(Provider.java:1617)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
   at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
   at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
   at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:87)
   at org.xnio.ssl.JsseSslUtils.createSSLContext(JsseSslUtils.java:66)
   at org.xnio.ssl.JsseXnioSsl.<init>(JsseXnioSsl.java:73)
   at org.xnio.Xnio.getSslProvider(Xnio.java:209)
   at org.jboss.remoting3.remote.RemoteConnectionProvider.connect(RemoteConnectionProvider.java:207)
   at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:312)
   ... 23 more
 Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-nss-fips
   at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
   at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultKeyManager(SSLContextImpl.java:874)
   at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:732)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
   at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
   at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
   at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
   at java.security.Provider$Service.newInstance(Provider.java:1595)
   ... 33 more


Reproducer notes:

1) Configure the JVM in FIPS mode

2) Create a remote JMX connection within a deployed application:

   private void testRemoteJMX() {
     try {
       java.util.HashMap environment = new java.util.HashMap();
       environment.put("jmx.remote.protocol.provider.pkgs", "org.jboss.remotingjmx");
       JMXServiceURL url = new JMXServiceURL("service:jmx:remoting-jmx://localhost:9999");
       JMXConnector jmxc = JMXConnectorFactory.connect(url, environment);
     } catch( Exception e ) {
       System.out.println("*** Error:"+e.getMessage());
       e.printStackTrace();
     }
   }

Comment 1 dhorton 2016-05-12 17:36:52 UTC
Workaround:

  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11"
  JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=NONE -Djavax.net.ssl.keyStoreType=PKCS11 -Djavax.net.ssl.keyStorePassword=imapassword"


This will expose the keystore password in the process listing.  Use the vault system to hide the keystore password.


Note You need to log in before you can comment on or make changes to this bug.