Open benzim opened 2 years ago
I still see the issue on WLP version 22.0.0.3
but what only when running inside of a kubernetes pod with FIPS enabled. This issue only appears to happen inside of a kubernetes pod and works as expected outside of it. The following configuration was used:
server.xml
<keyStore id="defaultKeyStore" location="/usr/operational-cache/wlp/usr/servers/mdm-server/nss-client.cfg" type="PKCS11" fileBased="false" provider="SunPKCS11" password="${env.WLP_KEYSTORE_PASS}"/>
nss-client.cfg
name = nss-clients
nssLibraryDirectory = /lib64
nssSecmodDirectory = /tmp/fips/keystore
nssDbMode = readWrite
nssModule = fips
attributes=compatibility
showInfo=true
keystore directory
sh-4.4$ ls /tmp/fips/keystore
cert8.db key3.db secmod.db
environment variables
NSS_DEFAULT_DB_TYPE=dbm
NSS_CONFIG_FILE=/usr/operational-cache/wlp/usr/servers/mdm-server/nss-client.cfg
trace output from host machine
[5/11/22 9:17:20:771 PDT] 0000001c SystemOut O NSS modules: [NSS Internal FIPS PKCS #11 Module (FIPS, /lib64/libsoftokn3.so, slot 0)]
[5/11/22 9:17:20:773 PDT] 0000001c SystemOut O Information for provider SunPKCS11-nss-client
[5/11/22 9:17:20:773 PDT] 0000001c SystemOut O Library info:
[5/11/22 9:17:20:780 PDT] 0000001c SystemOut O cryptokiVersion: 2.40
manufacturerID: Mozilla Foundation
flags: 0
libraryDescription: NSS Internal Crypto Services
libraryVersion: 3.67
[5/11/22 9:17:20:780 PDT] 0000001c SystemOut O All slots: 3
[5/11/22 9:17:20:780 PDT] 0000001c SystemOut O Slots with tokens: 3
[5/11/22 9:17:20:781 PDT] 0000001c SystemOut O Slot info for slot 3:
[5/11/22 9:17:20:781 PDT] 0000001c SystemOut O slotDescription: NSS FIPS 140-2 User Private Key Services
manufacturerID: Mozilla Foundation
flags: CKF_TOKEN_PRESENT
hardwareVersion: 3.67
firmwareVersion: 0.00
[5/11/22 9:17:20:789 PDT] 0000001c SystemOut O Token info for token in slot 3:
[5/11/22 9:17:20:789 PDT] 0000001c SystemOut O label: NSS FIPS 140-2 Certificate DB
manufacturerID: Mozilla Foundation
model: NSS 3
serialNumber: 0000000000000000
[5/11/22 9:17:20:890 PDT] 0000001c com.ibm.ws.ssl.config.WSKeyStore I Successfully loaded default keystore: /usr/operational-cache/wlp/usr/servers/mdm-server/nss-client.cfg of type: PKCS11
[5/11/22 9:17:21:302 PDT] 00000013 com.ibm.ws.security.jaspi.AuthConfigFactoryWrapper I CWWKS1655I: The default Java Authentication SPI for Containers (JASPIC) AuthConfigFactory class com.ibm.ws.security.jaspi.ProviderRegistry is being used because the Java security proper
trace output from pod container
[ERROR ] CWPKI0814E: An error while initializing hardware keystore [defaultKeyStore]. Check the hardware configuration /usr/operational-cache/wlp/usr/servers/mdm-server/nss-client.cfg file to be sure the attributes are set correctly. Exception returned from the provider is Secmod directory /staging/operational-cache/keystore invalid, NSS already initialized with sql:/etc/pki/nssdb.
Once this i noticed is that it appears as though the default java.security
(/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.332.b09-2.el8_6.x86_64/jre/lib/security/java.security) properties are being used instead of what is defined in the liberty keystore properties.
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.332.b09-2.el8_6.x86_64/jre/lib/security/java.security
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Security providers used when global crypto-policies are set to FIPS.
#
fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
fips.provider.2=sun.security.provider.Sun
fips.provider.3=sun.security.ec.SunEC
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.332.b09-2.el8_6.x86_64/jre/lib/security/nss-fips.cfg
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
Trace log for pod with error has been provided below:
Not sure if it is still relevant, but https://openliberty.io/docs/latest/enable-fips.html suggests to use provider="SunPKCS11-NSS-FIPS"
, which works for me when running natively on RHEL 8.6 and using /etc/pki/nssdb
Describe the bug
The keystore entry in our server.xml is
During initialization, we are seeing this error
Steps to Reproduce
Set NSS database as PKCS11 keystore
Expected behavior
I expect WLP to use the NSS database as the keystore without any errors.
Diagnostic information: