Using BCFKS for the credential store
685 views
Skip to first unread message
Sven Rajala
Feb 14, 2024, 2:21:45 PM2/14/24
to WildFly
I'm trying to figure out how to use a BCFKS for the credential store with Wildfly 26.1.3 without having FIPS enabled.
The JBoss documentation has some steps, but they seem incomplete. When running the last command it fails and I'm pretty sure it's because Wildfly or the elytron-tool.sh don't know how to to use the keystore since it's BCFKS. I can generate the 2 keystores with Java keytool fine by providing the BC libs:
keytool -genkeypair -alias credstore -keyalg RSA -keysize 4096 -storepass Pxssw0rd -keystore /opt/wildfly/standalone/configuration/credstore.bcfks -storetype BCFKS -keypass Pxssw0rd -providerpath /opt/bclib/bcprov-jdk18on-175.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -dname "CN=localhost"
keytool -genseckey -alias credstorekey -keyalg AES -keysize 256 -keystore /opt/wildfly/standalone/configuration/credstorekey.bcfks -storetype BCFKS -storepass Pxssw0rd -keypass Pxssw0rd -providerpath /opt/bclib/bcprov-jdk18on-175.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider
keytool -genseckey -alias credstorekey -keyalg AES -keysize 256 -keystore /opt/wildfly/standalone/configuration/credstorekey.bcfks -storetype BCFKS -storepass Pxssw0rd -keypass Pxssw0rd -providerpath /opt/bclib/bcprov-jdk18on-175.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider
/opt/wildfly/bin/elytron-tool.sh credential-store -c -a credstore -x Pxssw0rd -p Pxssw0rd -l /opt/wildfly/standalone/configuration/credstore.bcfks -u "keyStoreType=BCFKS;external=true;keyAlias=credstorekey;externalPath=/opt/wildfly/standalone/configuration/credstorekey.bcfks"
Feb 12, 2024 10:56:57 AM org.jboss.logmanager.JBossLoggerFinder getLogger
ERROR: The LogManager accessed before the "java.util.logging.manager" system property was set to "org.jboss.logmanager.LogManager". Results may be unexpected.
Exception encountered executing the command:
ELY09514: Unable to initialize credential store
Feb 12, 2024 10:56:57 AM org.jboss.logmanager.JBossLoggerFinder getLogger
ERROR: The LogManager accessed before the "java.util.logging.manager" system property was set to "org.jboss.logmanager.LogManager". Results may be unexpected.
Exception encountered executing the command:
ELY09514: Unable to initialize credential store
Prarthona Paul
Feb 14, 2024, 2:32:54 PM2/14/24
to WildFly
Hello there,
Have you checked if the list of providers for your default fips.provider is as expected?
Here is another question (https://groups.google.com/g/wildfly/c/NRTKSZIrErI/m/8jVMKGTiAQAJ) we had about using BCFKS for credential stores and maybe this can help?
Have you checked if the list of providers for your default fips.provider is as expected?
Here is another question (https://groups.google.com/g/wildfly/c/NRTKSZIrErI/m/8jVMKGTiAQAJ) we had about using BCFKS for credential stores and maybe this can help?
Please feel free to follow up with any other questions you have.
Best,
Prarthona
Sven Rajala
Feb 14, 2024, 2:46:14 PM2/14/24
to WildFly
I'm wondering if something like this would work without using the FIPS BC libs? I have no experience with the java.security file though. Any tips or tricks for this file are most welcome.
provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider
provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
provider.3=SunJCE
provider.4=SUN
provider.5=SunEC
provider.6=com.sun.net.ssl.internal.ssl.Provider
provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
provider.3=SunJCE
provider.4=SUN
provider.5=SunEC
provider.6=com.sun.net.ssl.internal.ssl.Provider
Prarthona Paul
Feb 16, 2024, 10:59:49 AM2/16/24
to WildFly
Please give it a try and see if it works.
You could also check to make sure which security providers you have listed in the Java security file.
You could also check to make sure which security providers you have listed in the Java security file.
Sven Rajala
Mar 1, 2024, 5:13:45 AM3/1/24
to WildFly
I used the steps from that link: (https://groups.google.com/g/wildfly/c/NRTKSZIrErI/m/8jVMKGTiAQAJ), but I was not able to add the credential store with the elytron-tools.sh. I have only been able to add the credential store from the jboss-cli:
/subsystem=elytron/credential-store=credstore1:add(credential-reference={clear-text=PrimeKey},implementation-properties={keyAlias=init,external=true, externalPath=/opt/wildfly/standalone/configuration/initstore, keyStoreType=BCFKS}, create=true, path=/opt/wildfly/standalone/configuration/credstore.bcfks, modifiable=true, other-providers=BcAggregateProvider)
I was able to add a password:
/subsystem=elytron/credential-store=credstore1:add-alias(alias=dbPassword, secret-value=dbpassword2!)
The elytron-tools.sh gave me this error (This has the java opt with the java.security file provided like Diana said to do):
/opt/wildfly/bin/elytron-tool.sh credential-store -c -a init -x PrimeKey -l /opt/wildfly/standalone/configuration/credstore.bcfks -p PrimeKey -u "keyStoreType=BCFKS;keyAlias=init;external=true;externalPath=/opt/wildfly/standalone/configuration/initstore" --debug
Exception encountered executing the command:
org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:955)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:964)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:843)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:223)
at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:404)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:951)
... 6 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:733)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 7 more
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:955)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:964)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:843)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:223)
at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:404)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:951)
... 6 more
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:733)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 7 more
Now that I have a password in the BCFKS credential store and it is working for my data source I'm not trying to figure out how to add additional credentials using the elytron-tools.sh, but I cannot figure it out. Are there any examples that can be shared? I haven't found anything in the RHEL KB's or online.
I've tried this:
/elytron-tool.sh credential-store --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --aliases --debug
Exception encountered executing the command:
org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:907)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:421)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:88)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:607)
Caused by: java.io.IOException: Invalid keystore format
at java.base/com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:725)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:895)
... 7 more
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:907)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:421)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:88)
at org.jboss.modules.Module.run(Module.java:352)
at org.jboss.modules.Module.run(Module.java:320)
at org.jboss.modules.Main.main(Main.java:607)
Caused by: java.io.IOException: Invalid keystore format
at java.base/com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:725)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.wildfly.secu...@2.2.3.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:895)
... 7 more
n(Main.java:607)
[root@ejbca01 bin]# /opt/wildfly/bin/elytron-tool.sh credential-store --credential-store-provider BCFIPS --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --aliases --debug
Exception encountered executing the command:
java.lang.IllegalArgumentException: ELYTOOL00015: Unknown provider "BCFIPS"
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
at org.wildfly.security.credential.store.CredentialStore.getInstance(CredentialStore.java:114)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:364)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
at org.wildfly.security.credential.store.CredentialStore.getInstance(CredentialStore.java:114)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:364)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
[root@ejbca01 bclib]# /opt/wildfly/bin/elytron-tool.sh credential-store --other-providers org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --aliases --debug
-Djava.security.properties=/opt/bclib/java.security
-Djava.security.properties=/opt/bclib/java.security
Exception encountered executing the command:
java.lang.IllegalArgumentException: ELYTOOL00015: Unknown provider "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:406)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
at org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:406)
at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:84)
[root@ejbca01 bclib]# /opt/wildfly/bin/elytron-tool.sh credential-store --credential-store-provider credstore1 --location /opt/wildfly/standalone/configuration/initstore --password PrimeKey --aliases --debug
-Djava.security.properties=/opt/bclib/java.security
-Djava.security.properties=/opt/bclib/java.security
Exception encountered executing the command:
java.lang.IllegalArgumentException: ELYTOOL00015: Unknown provider "credstore1"
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
at org.wildfly.security.tool.Command.lambda$getProvidersSupplier$0(Command.java:256)
Maybe I'm close and someone here can give me a pointer to get this one solved.
Diana Krepinska
Mar 1, 2024, 10:00:36 AM3/1/24
to WildFly
Hi, do you have paths to the BC provider jars specified in your boot classpath? For example: JAVA_OPTS="$JAVA_OPTS -Xbootclasspath/a:/path/to/bc-fips.jar:/path/to/bctls-fips.jar" , it is also mentioned in the other linked question: https://groups.google.com/g/wildfly/c/NRTKSZIrErI/m/8jVMKGTiAQAJ
Sven Rajala
Mar 1, 2024, 10:51:35 AM3/1/24
to WildFly
Thank you Diana! That is the step I was missing to export the bootclasspath.
The working commands for me are:
export JAVA_OPTS="$JAVA_OPTS -Xbootclasspath/a:/opt/wildfly/modules/org/bouncycastle/fips/main/bc-fips-1.0.2.4.jar:/opt/wildfly/modules/org/bouncycastle/fips/main/bctls-fips-1.0.18.jar:/opt/wildfly/modules/org/bouncycastle/fips/main/bcpkix-fips-1.0.7.jar"
/opt/wildfly/bin/elytron-tool.sh credential-store -c -a init -x PrimeKey -l /opt/wildfly/standalone/configuration/credstore.bcfks -p PrimeKey -u "keyStoreType=BCFKS;keyAlias=init;external=true;externalPath=/opt/wildfly/standalone/configuration/initstore" --debug
/opt/wildfly/bin/elytron-tool.sh credential-store --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --add TestPasswd --secret "foo123" -u "keyStoreType=BCFKS;keyAlias=init;external=true;externalPath=/opt/wildfly/standalone/configuration/initstore" --debug
/opt/wildfly/bin/elytron-tool.sh credential-store --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --aliases -u "keyStoreType=BCFKS;keyAlias=init;external=true;externalPath=/opt/wildfly/standalone/configuration/initstore"
/opt/wildfly/bin/elytron-tool.sh credential-store --location /opt/wildfly/standalone/configuration/credstore.bcfks --password PrimeKey --aliases -u "keyStoreType=BCFKS;keyAlias=init;external=true;externalPath=/opt/wildfly/standalone/configuration/initstore"
Now I can get this automated with Ansible and leverage Bouncy Castle!
Thank you Diana & Paul for the pointers.
Reply all
Reply to author
Forward
0 new messages