search

IBM / Db2

Db2 Universal Container deployment
Apache License 2.0
9 stars 34 forks source link

DB2 is not working over FIPS #43

Open pjgg opened 2 years ago

pjgg commented 2 years ago

I am running an application over FIPS security protocol and I am getting the following error from DB2 when I am trying to connect to the database

Stacktrace: 

12:21:05.340 INFO  [app] 12:21:03,833 Datasource 'db2': [jcc][t4][2010][11246][4.29.24] Connection authorization failure occurred.  Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
12:21:05.340 INFO  [app] 12:21:03,843 Failed to start application (with profile prod): com.ibm.db2.jcc.am.SqlInvalidAuthorizationSpecException: [jcc][t4][2010][11246][4.29.24] Connection authorization failure occurred.  Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.am.b7.a(b7.java:808)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.am.b7.a(b7.java:66)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.am.b7.a(b7.java:133)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.t4.b.f(b.java:2663)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.t4.b.b(b.java:2004)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.t4.z.r(z.java:961)
12:21:05.341 INFO  [app]    at com.ibm.db2.jcc.t4.z.k(z.java:494)
12:21:05.342 INFO  [app]    at com.ibm.db2.jcc.t4.z.c(z.java:144)
12:21:05.342 INFO  [app]    at com.ibm.db2.jcc.t4.b.k(b.java:1513)
12:21:05.342 INFO  [app]    at com.ibm.db2.jcc.t4.b.b(b.java:1426)
12:21:05.342 INFO  [app]    at com.ibm.db2.jcc.t4.b.a(b.java:6838)
12:21:05.342 INFO  [app]    at com.ibm.db2.jcc.t4.b.b(b.java:947)
12:21:05.343 INFO  [app]    at com.ibm.db2.jcc.t4.b.a(b.java:860)
12:21:05.343 INFO  [app]    at com.ibm.db2.jcc.t4.b.a(b.java:455)
12:21:05.343 INFO  [app]    at com.ibm.db2.jcc.t4.b.a(b.java:428)
12:21:05.343 INFO  [app]    at com.ibm.db2.jcc.t4.b.<init>(b.java:366)
12:21:05.344 INFO  [app]    at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:243)
12:21:05.344 INFO  [app]    at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:200)
12:21:05.344 INFO  [app]    at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:491)
12:21:05.344 INFO  [app]    at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:117)
12:21:05.344 INFO  [app]    at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:204)
12:21:05.344 INFO  [app]    at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:470)
12:21:05.345 INFO  [app]    at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:452)
12:21:05.345 INFO  [app]    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
12:21:05.345 INFO  [app]    at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:68)
12:21:05.345 INFO  [app]    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126)
12:21:05.345 INFO  [app]    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

Environment: RHEL8 or fedora workstation 32 JDK11 (OpenJDK)

BD2 was running in a docker container

example:

docker run --name db2 --privileged=true -p 50000:50000 -e LICENSE=accept -e DB2INST1_PASSWORD=test -e DB2INSTANCE=test -e DBNAME=amadeus -e AUTOCONFIG=false -e ARCHIVE_LOGS=false -v /tmp:/database ibmcom/db2

The same app/db2 is running as expected without FIPS

rsvoboda commented 2 years ago

Pls provide details how FIPs is configured, not many people may know that topic in details.

pjgg commented 2 years ago

You can install FIPS running the following script 

#!/bin/bash

fips_enabled=$(sysctl crypto.fips_enabled | tr -dc '0-9')

if [ $fips_enabled -eq 0 ]
then
# If the prelink package is installed: disable prelinking
rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink
rpm -q prelink && prelink -uav
# Enable FIPS
fips-mode-setup --enable
echo "The system must be rebooted in order to apply the changes"
else
echo "Fips is already enabled"
fi
pjgg commented 2 years ago

db2:11.5.7.0 / latest still failing with the same error

Any tips from DB2 in order to handle this issue or how to deal with DB2 Docker container over FIPS ?

JiriOndrusek commented 3 months ago

Hi @pjgg @rsvoboda , are there any news in this topic? I can see the same problem with ibmcom/db2:11.5.9.0

rsvoboda commented 3 months ago

@michalvavrik is looking into that, only small progress after several days, we would need somebody from IBM to help here.