Unable to Deploy on FIPS RHEL8
535 views
Skip to first unread message
Nate
Oct 13, 2023, 2:28:20 PM10/13/23
to WildFly
Is there a definitive guide to configuring Wildfly to run on FIPS enabled RHEL8? I have tried following instructions I have found on redhat.com EAP guides and I think I am close to getting it to work but I haven't found a way around this error.
A pointer in the right direction would be must appreciated!Thanks,
My standalone.xml elytron looks like this:
<subsystem xmlns="urn:wildfly:elytron:15.1" disallowed-providers="OracleUcrypto" final-providers="combined-providers">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
<providers name="SunPKCS11"/>
</aggregate-providers>
<provider-loader module="org.wildfly.security.elytron" name="elytron"/>
<provider-loader module="org.wildfly.openssl" name="openssl"/>
<provider-loader name="SunPKCS11" module="com.sun.crypto.provider.SunPKCS11"/>
</providers>
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
<providers name="SunPKCS11"/>
</aggregate-providers>
<provider-loader module="org.wildfly.security.elytron" name="elytron"/>
<provider-loader module="org.wildfly.openssl" name="openssl"/>
<provider-loader name="SunPKCS11" module="com.sun.crypto.provider.SunPKCS11"/>
</providers>
My current error is the following:
2023-10-13 17:03:23,880 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.providers.SunPKCS11: org.jboss.msc.service.StartException in service org.wildfly.security.providers.SunPKCS11: org.jboss.modules.ModuleNotFoundException: com.sun.crypto.provider.SunPKCS11
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.loadProviders(ProviderDefinitions.java:300)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.access$300(ProviderDefinitions.java:129)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1$1.get(ProviderDefinitions.java:191)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1$1.get(ProviderDefinitions.java:176)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:114)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:61)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.jboss.modules.ModuleNotFoundException: com.sun.crypto.provider.SunPKCS11
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:301)
at org.jboss.modules.Module.getModule(Module.java:672)
at org.jboss.modules.Module.getModule(Module.java:661)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ClassLoadingAttributeDefinitions.resolveClassLoader(ClassLoadingAttributeDefinitions.java:60)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.lambda$loadProviders$0(ProviderDefinitions.java:223)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.SecurityActions.doPrivileged(SecurityActions.java:39)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.loadProviders(ProviderDefinitions.java:222)
... 13 more
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.loadProviders(ProviderDefinitions.java:300)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.access$300(ProviderDefinitions.java:129)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1$1.get(ProviderDefinitions.java:191)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1$1.get(ProviderDefinitions.java:176)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:114)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:61)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.jboss.modules.ModuleNotFoundException: com.sun.crypto.provider.SunPKCS11
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:301)
at org.jboss.modules.Module.getModule(Module.java:672)
at org.jboss.modules.Module.getModule(Module.java:661)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ClassLoadingAttributeDefinitions.resolveClassLoader(ClassLoadingAttributeDefinitions.java:60)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.lambda$loadProviders$0(ProviderDefinitions.java:223)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.SecurityActions.doPrivileged(SecurityActions.java:39)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ProviderDefinitions$1$1.loadProviders(ProviderDefinitions.java:222)
... 13 more
A pointer in the right direction would be must appreciated!
Nate
Diana Krepinska
Oct 19, 2023, 7:41:05 AM10/19/23
to WildFly
Hello Nate,
you have configured the provider-loader to point to the module "com.sun.crypto.provider.SunPKCS11". This module is not present in Wildfly and does not appear to have been added as a custom module either, so the ModuleNotFoundException is thrown. Please make sure that this path correct. It's possible that you wanted to add "com.sun.crypto.provider.SunJCE" provider-loader instead?
Ashwin Mehendale
Oct 19, 2023, 11:47:46 AM10/19/23
to WildFly
Hi Nate,
In case it helps, as you mentioned the EAP docs, here's a link to the latest docs about configuring FIPS 140-2 compliant credential stores on FIPS-enabled RHEL: Creating FIPS 140-2 compliant credential store using a SUNPKCS#11 provider and NSS database in FIPS enabled RHEL .
best,
ashwin
Nate
Nov 3, 2023, 9:45:20 AM11/3/23
to WildFly
I have come to a full stop trying to deploy my wildfly application in a FIPS enabled RHEL8 environment. FIPS does not support JCEKS keystores because SunJCE security provider is not enabled. I got wildfly running on a PKCS11 keystore backed credential-store as outlined here: https://access.redhat.com/solutions/6981688. I have found similar, more complicated steps for using a Bouncy Castle. However, my application cannot deploy because it uses a JCEKS keystore directly from code. Is converting all java code that uses the JCEKS keystore to now use the PKCS11 keystore or a BCFKS keystore my only option?
Thanks,
Nate
Nate
Nov 14, 2023, 2:34:28 PM11/14/23
to WildFly
I have now converted everything to run on the PKCS11 keystore. Everything is working except for one crucial component, the ActiveMQ Broker. Is there a known issue with this? Everything seems to come up fine but whenever there is a connection made to the broker it gets "no cipher suites in common" error.
Diana Krepinska
Nov 15, 2023, 11:09:35 AM11/15/23
to WildFly
Hi Nate, yes in FIPS enforced RHEL the keystores and cipher suites are restricted. For RH AMQ broker specifically I found that this issue is in the backlog: https://issues.redhat.com/browse/ENTMQBR-4553 . There is a possibility to configure system property com.redhat.fips to false in order to bypass the FIPS enforcements
Nate
Nov 16, 2023, 7:52:01 AM11/16/23
to WildFly
Thank You, Diana. Sadly, I do not have access to view https://issues.redhat.com/browse/ENTMQBR-4553. I get "You can't view this issue." This whole effort is to make my software FIPS compliant, so, bypassing FIPS enforcements would be counterproductive.
Nate
Nov 30, 2023, 8:04:37 AM11/30/23
to WildFly
I was able to get past this by adding this setting to my code that configures the broker:
connectionParams.put(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, "true");
connectionParams.put(TransportConstants.USE_DEFAULT_SSL_CONTEXT_PROP_NAME, "true");
Reply all
Reply to author
Forward
0 new messages