Upgrading BouncyCastle from 1.0.2.4 FIPS to 2.0.0
127 views
Skip to first unread message
Daniel Peller
Sep 5, 2024, 12:46:55 PM9/5/24
to WildFly
Hi,
I have a small problem upgrading BC to 2.0.0 version.
In our software, we have BouncyCastle 1.0.2.4 FIPS working configured and working without any issue.
During the upgrade, I:
- configured the java.security providers according to the "BC-FJA-UserGuide-2.0.0" guide.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
- configured the java.security providers according to the "BC-FJA-UserGuide-2.0.0" guide.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
- changed the .jar file under "WildFly/modules/fips/main" from "bc-fips-1.0.2.4.jar" to "bc-fips-2.0.0.jar"
- made the changes in the "module.xml"
In our standalone.xml, credential-store is already configured, so are the providers.
Providers were set already, with module name "org.bouncycastle.fips".
But, here comes the problem.
When I want to start WildFly Service, I get the following error:
14:58:39,025+0200 ERROR fail startFailed: MSC000001: Failed to start service org.wildfly.security.credential-store.mp_credentialstore: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.mp_credentialstore: WFLYELY00004: Unable to start the service.
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:522)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:479)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:103)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:48)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1617)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1580)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1438)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.base/java.lang.Thread.run(Thread.java:839)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:979)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:988)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:867)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1$1.run(CredentialStoreResourceDefinition.java:514)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:518)
... 11 more
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:975)
... 17 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:673)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 18 more
But when I remove ".fips" from the module (and basically it will be module-name="org.bouncycastle"), it is working perfectly. I guess it is because it is using the non-fips version.
Can you help me with my problem? Is there something that I am missing or did not set correctly or something else?
- made the changes in the "module.xml"
In our standalone.xml, credential-store is already configured, so are the providers.
My credential-store in standalone.xml looks like this:
<credential-store
name="mp_credentialstore" relative-to="jboss.server.config.dir"
path="../../credentialstores/keystore.bcfks" modifiable="true"
create="true">
<implementation-properties>
<property name="keyAlias" value="key"/>
<property name="external" value="true"/>
<property name="externalPath" value="../credentialstores/credentialstore.bcfks"/>
<property name="keyStoreType" value="BCFKS"/>
</implementation-properties>
<credential-reference clear-text="<I cleared it out>"/>
</credential-store>
<implementation-properties>
<property name="keyAlias" value="key"/>
<property name="external" value="true"/>
<property name="externalPath" value="../credentialstores/credentialstore.bcfks"/>
<property name="keyStoreType" value="BCFKS"/>
</implementation-properties>
<credential-reference clear-text="<I cleared it out>"/>
</credential-store>
Providers were set already, with module name "org.bouncycastle.fips".
But, here comes the problem.
When I want to start WildFly Service, I get the following error:
14:58:39,025+0200 ERROR fail startFailed: MSC000001: Failed to start service org.wildfly.security.credential-store.mp_credentialstore: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.mp_credentialstore: WFLYELY00004: Unable to start the service.
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:522)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:479)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:103)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:48)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1617)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1580)
at org.jb...@1.5.2.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1438)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.base/java.lang.Thread.run(Thread.java:839)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:979)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:988)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:867)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1$1.run(CredentialStoreResourceDefinition.java:514)
at org.wildfly.ex...@22.0.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:518)
... 11 more
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at org.wildfly.secu...@2.2.2.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:975)
... 17 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:673)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 18 more
But when I remove ".fips" from the module (and basically it will be module-name="org.bouncycastle"), it is working perfectly. I guess it is because it is using the non-fips version.
Can you help me with my problem? Is there something that I am missing or did not set correctly or something else?
I am using:
- WildFly 30.0.1
- Windows Server 2019
- IBM Java 11.0.22
Thank you for your help,
Daniel
- WildFly 30.0.1
- Windows Server 2019
- IBM Java 11.0.22
Thank you for your help,
Daniel
Bartosz Baranowski
Sep 9, 2024, 2:46:21 AM9/9/24
to WildFly
Im not overly keen here, but initial error suggests that BCFS provider is not registered(or blows up and its hidden?). Did you update this part as well?
https://groups.google.com/g/wildfly/c/dyOfXBfLPc8
https://groups.google.com/g/wildfly/c/dyOfXBfLPc8
Daniel Peller
Sep 10, 2024, 10:19:00 AM9/10/24
to WildFly
I tried updating this part but still not working for me.
Daniel Peller
Sep 10, 2024, 12:16:02 PM9/10/24
to WildFly
I tried creating a new credential-store but it looks like to me that when I am using elytron-tool to create a new credentialstore, it is giving me the same BCFKS not found error.
Bartosz Baranowski
Sep 12, 2024, 1:25:04 AM9/12/24
to Daniel Peller, WildFly
Now that's what I would call a clue.
--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/AsJ5_h3tuyI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/79e9ecc8-6bd9-4991-aa92-f5386c31eaf8n%40googlegroups.com.
"With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably."
Bartosz Baranowski
RedHat R&D
Reply all
Reply to author
Forward
0 new messages