Bug 2156945 - Enable XML Signature provider in FIPS mode [rhel-8, openjdk-17]
Summary: Enable XML Signature provider in FIPS mode [rhel-8, openjdk-17]
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: java-17-openjdk
Version: 8.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.8
Assignee: Francisco Ferrari Bihurriet
QA Contact: OpenJDK QA
URL:
Whiteboard:
Depends On: 1995150 2023467 2052070 2092507 2094027 2134669
Blocks: 2186826 2186827 2186828 2186829
TreeView+ depends on / blocked
 
Reported: 2022-12-29 19:50 UTC by Francisco Ferrari Bihurriet
Modified: 2023-06-26 15:01 UTC (History)
3 users (show)

Fixed In Version: java-17-openjdk-17.0.7.0.7-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2186826 2186827 2186828 2186829 (view as bug list)
Environment:
Last Closed: 2023-06-26 15:01:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rh-openjdk jdk pull 24 0 None open RH1940064: Enable XML Signature provider in FIPS mode 2022-12-29 20:18:40 UTC
Red Hat Issue Tracker RHELPLAN-143373 0 None None None 2022-12-29 19:53:16 UTC

Description Francisco Ferrari Bihurriet 2022-12-29 19:50:25 UTC 
This bug was initially created as a copy of Bug #1940064

I am copying this bug because: we need to fix this in OpenJDK 17 too.


When OpenJDK is configured in FIPS mode, the XML Signature provider is currently disabled, and the keystore type must be PKCS11 (/etc/pki/nssdb is used, in read-only mode).

This is not compatible with some 3rd party applications. 

For example, it leads to the following error running Jenkins on RHEL in FIPs mode:

java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS
Note You need to log in before you can comment on or make changes to this bug.