search

ibm-mas / ansible-devops

Ansible collection supporting devops for IBM Maximo Application Suite
https://ibm-mas.github.io/ansible-devops/
Eclipse Public License 2.0
49 stars 86 forks source link

IBM UDS fails to deploy on OpenShift 4.10 in FIPS mode. #825

Closed 01000101 closed 1 year ago

01000101 commented 1 year ago

Versions

OpenShift 4.10.59 (FIPS enabled) IBM CPFS Operator 3.23.3 Crunchy Postgres Operator 5.3.0 IBM User Data Services Operator 2.0.10

Problem statement

I'm trying to deploy IBM UDS via CPFS Operand but it fails in FIPS mode. Initially, it fails in the Pod/store-api-deployment (init container pem-to-keystore) due to password encryption being used (PBE) which is not supported in FIPS mode. This can be worked around by tricking keytool into bypassing FIPS restrictions (unacceptable in the real world, but fine for testing). After working around that issue, another, more blocking, issue in the main container (store-api) shows up regarding connection to PostgreSQL.

Diagnostics / logs

Log snippet from Pod/store-api-deployment (pem-to-keystore)

Importing keystore /var/run/secrets/java.io/keystores/keystore.pkcs12 to /var/run/secrets/java.io/keystores/keystore.jks...
keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available

The workaround for the above is to add -J-Dcom.redhat.fips=false into Deployment/store-api-deployment where the init-container command is keytool -importkeystore -noprompt ... and letting it reconcile.

Log snippet from Pod/store-api-deployment (store-api)

org.postgresql.util.PSQLException: Could not initialize SSL context.
...
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used
at java.base/sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:167) ~[na:na]
at java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:83) ~[na:na]
at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297) ~[na:na]
at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:186) ~[postgresql-42.4.1.jar!/:42.4.1]
... 59 common frames omitted
whitfiea commented 1 year ago

@01000101 Thanks for the issue. At the moment UDS is not supported running in FIPS mode. The recommendation for FIPS mode is to install SUDS (slim user data services) which is basically no UDS at all (but still provides a bascfg to allow the MAS suite to continue). This can be installed by setting the install_suds on the uds_action https://ibm-mas.github.io/ansible-devops/roles/uds/#uds_action.

For the MAS Suite to run in FIPS mode you would have to install using the latest catalog (May 18th) that has MAS 8.10.1 available.