wildfly 8.1 TLS with BC provider - not working
talim Dec 3, 2014 10:28 AMHi,
I wanne use Bouncycastle provider instead of sun. I use java8u25 (oracle) at the moment, wildfly8.1 - operation system is ubunutu.
I do this because I has to use Brainpool curves, which are not supportet in sunce. (ALL this i discribe below works already with NIST-Curves and sun-Provider !)
I configured a new security-realm as follows:
<security-realm name="InternetAccessRealm">
<server-identities>
<ssl>
<keystore path="keystore_ssl/keystore_pki_vvs_ECC.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="subcaws.smartenergy.tec-saar.de"/>
</ssl>
</server-identities>
<authentication>
<truststore path="keystore_ssl/truststore_pki_vvs_ECC.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>
</authentication>
</security-realm>
i add a interface and a connector - all works fine.
Now lets try with BouncyCastle Provider.
BC (1.50on) comes with wildfy8.1, i updated this to BC 1.51on Version.
also i add BC provider to JRE, by updating java.security:
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
also you can see, I added BC to security.provider.5: to security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC
1) Now first start of wildfly and an error occured:
15:17:48,456 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017531: Host default-host starting
15:17:48,466 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080
15:17:49,145 INFO [stdout] (MSC service thread 1-2) adding as trusted cert:
15:17:49,150 INFO [stdout] (MSC service thread 1-2) Subject: CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0
15:17:49,153 INFO [stdout] (MSC service thread 1-2) Issuer: CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0
15:17:49,154 INFO [stdout] (MSC service thread 1-2) Algorithm: EC; Serial number: 0x21286a2f3e8c6745
15:17:49,166 INFO [stdout] (MSC service thread 1-2) Valid from Tue Sep 09 11:22:09 CEST 2014 until Fri Sep 09 11:22:09 CEST 2022
15:17:49,172 INFO [stdout] (MSC service thread 1-2)
15:17:49,241 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-2) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments
15:17:49,246 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:90)
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:121)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BC
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) [jsse.jar:1.8.0_25]
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) [rt.jar:1.8.0_25]
at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:122)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:84)
... 6 more
15:17:49,435 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
-> let say not Problem, i changed jks-Keystores to bks keystore (native BC keystore format)
2) secound start:
15:29:40,961 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080
15:29:41,214 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]
at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)
... 6 more
15:29:41,299 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015876: Starting deployment of "CertManagementService.war" (runtime-name: "CertManagementService.war")
15:29:41,324 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments
15:29:41,658 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)
at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:107)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]
at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)
... 6 more
15:29:42,081 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
it seems to be the undertow HTTP listener is not aware of changing Provider to BC - because now he gets trouble with bks-Stores.
-->
after changing 5. to security.provider.5=com.sun.net.ssl.internal.ssl.Provider
so that no BC provider is used. i got expected problem while establish TLS - connection:
16:03:47,877 INFO [stdout] (default I/O-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
16:03:47,882 INFO [stdout] (default I/O-1) Compression Methods: { 0 }
16:03:47,884 INFO [stdout] (default I/O-1) default I/O-1, fatal error: 80: problem unwrapping net record
16:03:47,885 INFO [stdout] (default I/O-1) java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
16:03:47,885 INFO [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
16:03:47,886 INFO [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 2
16:03:47,887 INFO [stdout] (default I/O-1) [Raw write]: length = 7
16:03:47,888 INFO [stdout] (default I/O-1) 0000: 15 03 03 00 02 02 50 ......P
16:03:47,889 INFO [stdout] (default I/O-1) default I/O-1, called closeOutbound()
I also tried to start patching sun provider to let him know BC-Curve parameter and so on, but at the moment it think it cant be that problem to use BC provider.
Some ideas? - perhaps i started wrong way?
Sascha