-
1. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
jewellgm Nov 9, 2017 1:33 PM (in response to longshot)The TrustManager that the Oracle JRE uses is specified in %JAVA_HOME%\lib\security\java.security. (or %JAVA_HOME%\jre\lib\security\java.security if you are using the JDK) Look for the property "ssl.TrustManagerFactory.algorithm". I think the default value is "PKIX". Try setting it to "SunX509" and see if that makes a difference. If you are running on the IBM JRE/JDK, I don't know if it is configured the same way.
-
2. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
jewellgm Nov 9, 2017 1:35 PM (in response to jewellgm)I just found this, too. The last comment, in particular, may be helpful to you.
-
3. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
longshot Nov 9, 2017 2:13 PM (in response to jewellgm)I tried what was listed for JBEAP-3788. But on looking further this LOOKS like this works only with an additional code change in wildfly-core which as made in 2.1.0 Final I believe, and Wildfly 9.0.2 uses 1.0.1.
-
4. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
longshot Nov 9, 2017 2:19 PM (in response to jewellgm)No change
-
5. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
mchoma Nov 10, 2017 2:24 AM (in response to longshot)1 of 1 people found this helpfulIssue is raised with PKCS11 in mind. However I believe it apply also to your case - BC FIPS.
There is workaround described - use properties -Djavax.net.ssl.* for jboss-cli. However this situation is properly resolved in WildFly 11 with Elytron. So if that is option for you, I really recommend to migrate.
Btw. property -Djboss.as.management.security.disable-dynamic-trust-manager is helpful where wildfly act as client - e.g. master-slave communicaton.
-
6. Re: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used:
longshot Nov 10, 2017 7:41 AM (in response to mchoma)Thank you. This worked!
We will be upgrading Wildfly but not in the timeframe I need to have our application be FIPS compliant. Thank you very much.