Wildfly 26 FIPS Java 17
60 views
Skip to first unread message
Nate
Dec 16, 2024, 8:00:58 AM12/16/24
to WildFly
I now run my application in Wildfly 26 with Java 17. However, running the same versions of the application, Wildfly, and java on my FIPS environment now fails with the following error:
2024-12-13 21:06:41,249 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.credential-store.main: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.main: WFLYELY00004: Unable to start the service.
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:535)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:492)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:114)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:61)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:978)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:988)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:866)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1$1.run(CredentialStoreResourceDefinition.java:527)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:531)
... 11 more
Caused by: java.security.KeyStoreException: JCEKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:871)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:974)
... 17 more
Caused by: java.security.NoSuchAlgorithmException: JCEKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:749)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:868)
... 18 more
Is there a new Elytron version that does not try to create a JCEKS keystore instance by default when creating a keystore backed credential store?
2024-12-13 21:06:41,249 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.credential-store.main: org.jboss.msc.service.StartException in service org.wildfly.security.credential-store.main: WFLYELY00004: Unable to start the service.
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:535)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:492)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.ElytronDoohickey.get(ElytronDoohickey.java:114)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:61)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09514: Unable to initialize credential store
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:978)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.setupExternalStorage(KeyStoreCredentialStore.java:988)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:866)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:224)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:160)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1$1.run(CredentialStoreResourceDefinition.java:527)
at org.wildfly.ex...@18.1.2.Final//org.wildfly.extension.elytron.CredentialStoreResourceDefinition$CredentialStoreDoohickey$1.get(CredentialStoreResourceDefinition.java:531)
... 11 more
Caused by: java.security.KeyStoreException: JCEKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:871)
at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:974)
... 17 more
Caused by: java.security.NoSuchAlgorithmException: JCEKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:749)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:868)
... 18 more
Is there a new Elytron version that does not try to create a JCEKS keystore instance by default when creating a keystore backed credential store?
I have checked the latest here and it does not appear so. What are your recommendations?
Thank You,
Nate
Darran Lofthouse
Dec 16, 2024, 8:41:51 AM12/16/24
to WildFly
FYI we do have a fix for this making it through the review process, I have just send a PR to our 2.x branch to see if we can either include in WildFly 35.0.0.Final or if not WildFly 35.0.1.Final.
Nate
Dec 17, 2024, 7:25:15 AM12/17/24
to WildFly
Thanks. Is there any way to make this work with Wildfly26? Not ready to upgrade Wildfly which would require to refactor my app from javax.* to jakarta.*.
Darran Lofthouse
Dec 17, 2024, 8:23:29 AM12/17/24
to WildFly
You might be able to backport the change yourself and use your own build of WildFly Elytron in your application server installation.
Alternatively the jar containing the credential store implementation within your installation should be pretty tightly constrained - swapping in jars is always risky but it may be possible to swap in the jar from the upstream release once we create it but TBH we will not have undertaken any testing / validation ourselves so would certainly be a case of YMMV.
Nate
Dec 17, 2024, 9:56:54 AM12/17/24
to WildFly
Yes, this is what I've already started working towards. Just wanted to make sure there wasn't an easier alternative. What's more difficult is that I am deploying my app inside a bootable jar.
Thank You for your quick responses,
Nate
Reply all
Reply to author
Forward
0 new messages