Error starting BouncyCastle FIPS Enabled Wildlfy instance
368 views
Skip to first unread message
Jayesh Naithani
Dec 10, 2021, 4:16:07 PM12/10/21
to WildFly
Hi All,
Updating a previously configured FIPS enabled WF instance, with updated BouncyCastle jars. BouncyCastle is the the security provider for both for JCAJCE and JSSE (TLS).
2021-11-22 18:07:31,902 ERROR [io.undertow.request] (default I/O-12) UT005086: Failed to accept SSL request: java.lang.RuntimeException: WFLYDM0114: Failed to lazily initialize SSL context at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:216) at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.engineCreateSSLEngine(SSLContextService.java:243) at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361) at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:159) at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:60) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:132) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612) at org.xnio.nio.WorkerThread.run(WorkerThread.java:479) Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:179) at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:128) at org.jboss.as.domain.management.security.AbstractKeyManagerService.getKeyManagers(AbstractKeyManagerService.java:107) at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:213) ... 12 more Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:153) at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175) ... 15 more Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:666) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71) at java.security.KeyStore.load(KeyStore.java:1445) at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:112) ... 16 more
It seems like Wildlfy is trying to create SSL context and is loading a keystore/truststore - but as a JKS formatted store, instead of BCFKS.
standalone.xml and WF JDK are configured to support use of BouncyCastle. The same configuration works with previous versions of BC jars configured at the JDK level.
Any suggestion on determining root cause for this error?
Thank you,
2021-11-22 18:07:31,902 ERROR [io.undertow.request] (default I/O-12) UT005086: Failed to accept SSL request: java.lang.RuntimeException: WFLYDM0114: Failed to lazily initialize SSL context at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:216) at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.engineCreateSSLEngine(SSLContextService.java:243) at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361) at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:159) at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:60) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289) at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:132) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612) at org.xnio.nio.WorkerThread.run(WorkerThread.java:479) Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:179) at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:128) at org.jboss.as.domain.management.security.AbstractKeyManagerService.getKeyManagers(AbstractKeyManagerService.java:107) at org.jboss.as.domain.management.security.SSLContextService$LazyInitSSLContext$LazyInitSpi.doInit(SSLContextService.java:213) ... 12 more Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:153) at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:175) ... 15 more Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:666) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71) at java.security.KeyStore.load(KeyStore.java:1445) at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:112) ... 16 more
It seems like Wildlfy is trying to create SSL context and is loading a keystore/truststore - but as a JKS formatted store, instead of BCFKS.
standalone.xml and WF JDK are configured to support use of BouncyCastle. The same configuration works with previous versions of BC jars configured at the JDK level.
Any suggestion on determining root cause for this error?
Thank you,
-Jayesh
Diana Krepinska
Dec 13, 2021, 10:09:56 AM12/13/21
to WildFly
Hello,
In Java 11 make sure you have bouncycastle added as a module, you can do so via CLI:
module add --name=org.bouncycastle.fips --resources=/path/to/bc-fips-1.0.2.jar:/path/to/bctls-fips-1.0.10.jar
/subsystem=elytron/provider-loader=bc:add(module=org.bouncycastle.fips)
/subsystem=elytron:write-attribute(name=initial-providers,value=bc)
what is the version of java you are using? For Java 11, the following security providers should be used:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
In Java 11 make sure you have bouncycastle added as a module, you can do so via CLI:
module add --name=org.bouncycastle.fips --resources=/path/to/bc-fips-1.0.2.jar:/path/to/bctls-fips-1.0.10.jar
/subsystem=elytron/provider-loader=bc:add(module=org.bouncycastle.fips)
/subsystem=elytron:write-attribute(name=initial-providers,value=bc)
Also make sure the keystore is of type "BCFKS".
Jayesh Naithani
Nov 7, 2022, 11:37:54 AM11/7/22
to WildFly
Thank you Diana. We ended up moving to Wildfly 21 w/ Corretto JDK 1.8, which resolved our initializing SSL context issues.
Reply all
Reply to author
Forward
0 new messages