Enabling FIPS in openjdk11 and tomcat 9 - fips

I am trying to enable FIPS mode using NSS DB, openjdk11 and tomcat 9.
Configured
--> java.security with security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/share/tomcat/nss_pkcsll_fips.cfg
--> Installed NSS DB using modutil
--> configure https connector in server.xml with certificateKeystoreType="PKCS11"
Getting below error
25-Nov-2022 18:09:21.046 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [PKCS11] with path [/home/tomcat/.keystore] due to [PKCS11 not found]
java.security.KeyStoreException: PKCS11 not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:186)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:779)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
Can anyone point me to the documentation to enable FIPS mode in tomcat9 with openJDK11
enable FIPS mode in tomcat9 with openJDK11

Related

Protocoll adapter start fails with `OpenSSL is not available`

The MQTT protocol adapter does not start and in its log I see the message io.vertx.core.VertxException: OpenSSL is not available. What does this mean and what could be the cause?
11:10:18.131 [main] ERROR o.e.h.a.m.i.Application$$EnhancerBySpringCGLIB$$f98773bb - exception occurred during startup, shutting down ...
java.util.concurrent.ExecutionException: io.vertx.core.VertxException: OpenSSL is not available
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2022)
at org.eclipse.hono.service.AbstractBaseApplication.run(AbstractBaseApplication.java:160)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:804)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:794)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:324)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248)
at org.eclipse.hono.adapter.mqtt.impl.Application.main(Application.java:37)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:50)
at org.springframework.boot.loader.PropertiesLauncher.main(PropertiesLauncher.java:593)
Caused by: io.vertx.core.VertxException: OpenSSL is not available
Please check if you have set the property nativeTlsRequired in the protocol adapter's configuration to true. The default Hono containers do not contain netty-tcnative. To enable this option, please follow the explanation in the
Hono Admin Guide or build your own container images.

cassandra 1.2 error in startup with ssl enabled

I am using cassandra 1.2 datastax community edition. I am trying to enable the client_encryption_options and the server is not starting up. I am getting the below exception.
cassnadra.yaml configuration
client_encryption_options:
enabled: true
keystore: C:/Projects/MainApp/cassandrakeystore.jks
keystore_password: cassandra
require_client_auth: true
# Set trustore and truststore_password if require_client_auth is true
truststore: C:/Projects/MainApp/cassandratruststore.jks
truststore_password: cassandra
Exception on the startup
ERROR [main] 2014-07-08 10:41:09,006 CassandraDaemon.java (line 464) Exception encountered during startup
java.lang.RuntimeException: Unable to create thrift socket to localhost/127.0.0.1:9160
at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:267)
at org.apache.cassandra.thrift.TServerCustomFactory.buildTServer(TServerCustomFactory.java:46)
at org.apache.cassandra.thrift.ThriftServer$ThriftServerThread.<init>(ThriftServer.java:105)
at org.apache.cassandra.thrift.ThriftServer.start(ThriftServer.java:52)
at org.apache.cassandra.service.CassandraDaemon.start(CassandraDaemon.java:400)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:460)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:490)
Caused by: org.apache.thrift.transport.TTransportException: Could not bind to port 9160
at org.apache.thrift.transport.TSSLTransportFactory.createServer(TSSLTransportFactory.java:117)
at org.apache.thrift.transport.TSSLTransportFactory.getServerSocket(TSSLTransportFactory.java:103)
at org.apache.cassandra.thrift.CustomTThreadPoolServer$Factory.buildTServer(CustomTThreadPoolServer.java:257)
... 6 more
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuites(Unknown Source)
at org.apache.thrift.transport.TSSLTransportFactory.createServer(TSSLTransportFactory.java:113)
... 8 more
At a glance, the following line makes me think you need to install JCE:
Caused by: java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with currently installed providers
See: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Scriptella: ResourceException with Jaybird

I'm very newbie with Linux/Java/Scriptella and I'm trying a jdbc connection with scriptella on a Firebird local database, but I'm receiving the following errors:
2-dic-2013 1.03.34 <INFO> Execution Progress.Initializing properties: 1%
2-dic-2013 1.03.34 <GRAVE> Script /home/maurizio/Scrivania/JATROPHA/applicazioni/prova_per_scriptella.etl execution failed.
javax/resource/ResourceException
2-dic-2013 1.03.34 <GRAVE> Scriptella bug report. Submit to issue tracker.
Scriptella version: 1.1
Exception:
scriptella.execution.EtlExecutorException: javax/resource/ResourceException
at scriptella.execution.EtlExecutor.execute(EtlExecutor.java:190)
at scriptella.tools.launcher.EtlLauncher.execute(EtlLauncher.java:276)
at scriptella.tools.launcher.EtlLauncher.launch(EtlLauncher.java:193)
at scriptella.tools.launcher.EtlLauncher.main(EtlLauncher.java:321)
Caused by: java.lang.NoClassDefFoundError: javax/resource/ResourceException
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:270)
at scriptella.core.DriverFactory.getDriver(DriverFactory.java:53)
at scriptella.core.ConnectionManager.<init>(ConnectionManager.java:70)
at scriptella.core.Session.<init>(Session.java:51)
at scriptella.execution.EtlExecutor.prepare(EtlExecutor.java:248)
at scriptella.execution.EtlExecutor.execute(EtlExecutor.java:178)
... 3 more
Caused by: java.lang.ClassNotFoundException: javax.resource.ResourceException
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
... 10 more
I'm using Ubuntu 10.04 Lucid Lynx.
I start scriptella via console in directory /home/maurizio/Scrivania/JATROPHA/applicazioni/ with the command scriptella/scriptella-1.1/bin/scriptella.sh -debug "prova_per_scriptella.etl"
My ETL file prova_per_scriptella.etl contains the following rows:
<!DOCTYPE etl SYSTEM "http://scriptella.javaforge.com/dtd/etl.dtd">
<etl>
<description>Prova connessione Firebird</description>
<connection
id="fb_destination"
driver="org.firebirdsql.jdbc.FBDriver"
url="jdbc:firebirdsql:localhost/3050:/home/maurizio/Scrivania/JATROPHA/db/jatrofa.fdb"
user="user"
password="password"
classpath="/home/maurizio/Scrivania/JATROPHA/applicazioni/jaybird/Jaybird-2.2.3JDK_1.6/jaybird-2.2.3.jar"
/>
</etl>
The env var $_SCRIPTELLA_CP of batch command scriptella/scriptella-1.1/bin/scriptella.sh results in
:/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/commons-jexl.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/commons-logging.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/jaybird-2.2.3.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/jsqlparser-0.8.0.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/scriptella-core.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/scriptella-drivers.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/scriptella-tools.jar:
/home/maurizio/Scrivania/JATROPHA/applicazioni/scriptella/scriptella-1.1/lib/sqlsheet-6.5.jar
Any help would be very appreciated.
Thanks in advance.
You are missing the required dependency connector-api-1.5.jar, or you need to use jaybird-full-2.2.3.jar (which includes both the normal Jaybird and connector-api). See the releasenotes of Jaybird 2.2.3
The error means that you probably miss additional J2EE classes on classpath. Try downloading mini-j2ee.jar from http://www.firebirdsql.org/en/jdbc-driver/ and adding it to classpath attribute in etl.xml:
classpath="/path/to/mini-j2ee.jar:/home/maurizio/Scrivania/JATROPHA/applicazioni/jaybird/Jaybird-2.2.3JDK_1.6/jaybird-2.2.3.jar"

Setting up inter-node encryption in Cassandra

I am new to Cassandra and looking to setup internode encryption in Cassandra 1.2.8.
I have successfully created a keypair for the keystore and truststore following the steps outlined here:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
In the Cassandra.yaml file, I have adjusted the server encryption options to the following:
server_encryption_options:
internode_encryption: all
keystore: conf/keystore
keystore_password: password
truststore: conf/truststore
truststore_password: password
However, when I start the Cassandra server, I receive the following error:
ERROR 18:49:20,883 Fatal configuration error
org.apache.cassandra.exceptions.ConfigurationException: Unable to create ssl socket
at org.apache.cassandra.net.MessagingService.getServerSocket(MessagingService.java:410)
at org.apache.cassandra.net.MessagingService.listen(MessagingService.java:390)
at org.apache.cassandra.service.StorageService.joinTokenRing(StorageService.java:589)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:554)
at org.apache.cassandra.service.StorageService.initServer(StorageService.java:451)
at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:348)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:447)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:490)
Caused by: java.io.IOException: Error creating the initializing the SSL Context
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:124)
at org.apache.cassandra.security.SSLFactory.getServerSocket(SSLFactory.java:53)
at org.apache.cassandra.net.MessagingService.getServerSocket(MessagingService.java:406)
... 7 more
Caused by: java.io.FileNotFoundException: conf\truststore\dev (The system cannot find the path specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(Unknown Source)
at java.io.FileInputStream.<init>(Unknown Source)
at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:105)
... 9 more
Unable to create ssl socket
Fatal configuration error; unable to start server. See log for stacktrace.
ERROR 18:49:20,887 Exception in thread Thread[StorageServiceShutdownHook,5,main]
java.lang.NullPointerException
at org.apache.cassandra.service.StorageService.stopRPCServer(StorageService.java:321)
at org.apache.cassandra.service.StorageService.shutdownClientServers(StorageService.java:370)
at org.apache.cassandra.service.StorageService.access$000(StorageService.java:88)
at org.apache.cassandra.service.StorageService$1.runMayThrow(StorageService.java:519)
at org.apache.cassandra.utils.WrappedRunnable.run(WrappedRunnable.java:28)
at java.lang.Thread.run(Unknown Source)
Please note the server runs without issues if the server encryption options is set back to none. Any thoughts/guidance would be appreciated.
Read the exception carefully:
Caused by: java.io.FileNotFoundException: conf\truststore\dev
(The system cannot find the path specified)
You've created the key/trust stores but you haven't pointed cassandra to them. In cassandra.yaml you need to enable SSL but you also need to specify the path to these two files. E.g:
server_encryption_options:
internode_encryption: all
keystore: C:\some\location
keystore_password: password
truststore: C:\some\other\location
truststore_password: password
Also remember to supply the key/trust store passwords instead of the example in cassandra.yaml.

What do I need to get SSL sockets (SslRMIServerSocketFactory/SslRMIClientSocketFactory)?

Hy, basically I want to get SslRMIServerSocketFactory/SslRMIClientSocketFactory to secure my RMI calls. What is the common way to get these when client authentication is also necessary (keystores, certificates, ..)? What do I need to generate/ship?
edit: I successfully secured the communication now with RMI with server and client authentication and self-signed certificates. This works now on my machine. I submitted the certificates, truststores and keystores to the repository, but it won't work on other machines.
It was suggested that the migration broke the keystore, but I can't figure out why? Does anyone have an idea?
edit: Here is the complete stacktrace
java.rmi.ConnectIOException: Exception creating connection to: localhost; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
java.rmi.ConnectIOException: Exception creating connection to: localhost; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at
sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:614) at
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198) at
sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184) at
sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322) at
sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source) at
com.uc4.webui.sla.monitoring.SLAMonitoringAccessService.<init>(SLAMonitoringAccessService.java:40) at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at
java.lang.reflect.Constructor.newInstance(Constructor.java:513) at
java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at
org.eclipse.equinox.internal.ds.model.ServiceComponent.createInstance(ServiceComponent.java:457) at
org.eclipse.equinox.internal.ds.model.ServiceComponentProp.createInstance(ServiceComponentProp.java:264) at
org.eclipse.equinox.internal.ds.model.ServiceComponentProp.build(ServiceComponentProp.java:325) at
org.eclipse.equinox.internal.ds.InstanceProcess.buildComponent(InstanceProcess.java:588) at
org.eclipse.equinox.internal.ds.InstanceProcess.buildComponents(InstanceProcess.java:196) at
org.eclipse.equinox.internal.ds.Resolver.buildNewlySatisfied(Resolver.java:441) at
org.eclipse.equinox.internal.ds.Resolver.enableComponents(Resolver.java:213) at
org.eclipse.equinox.internal.ds.SCRManager.performWork(SCRManager.java:800) at
org.eclipse.equinox.internal.ds.SCRManager$QueuedJob.dispatch(SCRManager.java:767) at
org.eclipse.equinox.internal.ds.WorkThread.run(WorkThread.java:89) at
java.lang.Thread.run(Thread.java:662) Caused by:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at
javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179) at
javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192) at
javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:105) at
sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595
) ... 22 more Caused by:
java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at
java.security.Provider$Service.newInstance(Provider.java:1245) at
sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at
sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at
javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at
javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at
javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) at
javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:192) at
javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:102) ... 23 more Caused by:
java.io.IOException: Invalid keystore format at
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at
java.security.KeyStore.load(KeyStore.java:1185) at
com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:150) at
com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40) at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at
java.lang.reflect.Constructor.newInstance(Constructor.java:513) at
java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at
java.security.Provider$Service.newInstance(Provider.java:1221) ... 30 more
My platform is Windows 7 and
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)
Here are the keytool command which I used for the generation:
keytool -genkeypair -keyalg RSA -validity 3650 -keystore bundlekeystore.jks
keytool -export -keystore bundlekeystore.jks -rfc -file bundlecertificate.cer
keytool -import -file standalonecertificate.cer -keystore truststore.jks
Your need to export your remote objects using instances of each of those classes, configured appropriately according to your special requirements about enabled protocols and cipher suites if any.
Your server needs a private key and signed certificate in its keystore.
If it's a self-signed certificate, it needs to be exported from there and imported into the client's truststore.
Your client needs a private key and signed certificate in its keystore.
If it's a self-signed certificate, it needs to be exported from there and imported into the servers's truststore.
If the certificates are signed by a recognized CA you can omit the parts involving truststores.
If your client has any special requirements about protocols or cipher suites it needs to set the system properties described for SslRMIClientSocketFactory.
If you also want a secure Registry you have to take several additional steps which I will post here if you ask, but they are fairly obvious if you have a look at the LocateRegistry.createRegistry()/getRegistry() overloads that take socket factory parameters.

Resources