3 Replies Latest reply on Nov 13, 2017 12:37 PM by Laura O'Donnell

    FIPS compliant SSL w/ BC-FIPS and Linux

    Laura O'Donnell Newbie

      The task that will not end.

      I have configured our application to use BC-FIPS provider.  I have managed to configure and run the application on a windows environment.

      I've gone through the same configuration and setup on a linux environment and I'm having issues.

      When I start the server, wildfly doesn't start.  I'm not getting any errors, it just appears to hang.  I need some suggestions on what to do the debug this, find out where its hanging.

       

       

      The following are the instructions I created to configure wildfly using the CLI (in case there is something wrong that just still works with windows):

       

      /core-service=management/security-realm=https:add()

      /core-service=management/security-realm=https/authentication=truststore:add(keystore-path=<path>.truststore, keystore-provider=BCFKS, keystore-password=${env.KEYSTORE_PASSWORD}, keystore-relative-to=jboss.server.config.dir)

      /core-service=management/security-realm=https/server-identity=ssl:add(keystore-path=<path.ext>, keystore-provider=BCFKS, keystore-password=${env.KEYSTORE_PASSWORD}, keystore-relative-to=jboss.server.config.dir, enabled-protocols=["TLSv1.2"])

      /core-service=management/security-realm=HTTPSRealm/server-identity=ssl:write-attribute(name=enabled-cipher-suites, value=[SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA])

      /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=https, enable-http2=true, max-post-size=10737418240, enabled-protocols="TLSv1.2")

      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-cipher-suites,value="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA")

        • 1. Re: FIPS compliant SSL w/ BC-FIPS and Linux
          Martin Choma Expert

          Try to set detailed server logging .

           

          For example for logging security configure

          /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)

          /subsystem=logging/logger=org.jboss.security:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.security:add(level=ALL)

          /subsystem=logging/logger=org.picketbox:add(level=ALL)

          /subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)

          /subsystem=logging/logger=org.wildfly.security:add(level=ALL)

          /subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)

           

           

          • 2. Re: FIPS compliant SSL w/ BC-FIPS and Linux
            Martin Choma Expert

            Also when it really hangs, take threaddump to see where is it stucked.

             

            Once I saw security code was stucked on reading from random device. Does  cat /dev/random hangs on your system?

            • 3. Re: FIPS compliant SSL w/ BC-FIPS and Linux
              Laura O'Donnell Newbie

              cat /dev/random seems to hang.

              I typed cat /dev/random and is seems to spew garbage characters to screen.  I left it for a couple minutes.  It never goes back to cursor.  It seems like its looking for input, but typing doesn't get it to terminate or generate anything more.  I've done ctrl -C to get the cursor back 

              Also, I'm using bitvise xterm to connect.   If you wait after you enter the command, it seems to keep generating characters, when it does, the xterm prints at the top Decoder: invalid UTF-8 lead byte.