2 Replies Latest reply on Dec 5, 2014 6:34 AM by Sascha Kopp

    wildfly 8.1 TLS with BC provider - not working

    Sascha Kopp Newbie

      Hi,

      I wanne use Bouncycastle provider instead of sun. I use java8u25 (oracle) at the moment, wildfly8.1 - operation system is ubunutu.

      I do this because I has to use Brainpool curves, which are not supportet in sunce. (ALL this i discribe below works already with NIST-Curves and sun-Provider !)

       

      I configured a new security-realm as follows:

       

                  <security-realm name="InternetAccessRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="keystore_ssl/keystore_pki_vvs_ECC.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="subcaws.smartenergy.tec-saar.de"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="keystore_ssl/truststore_pki_vvs_ECC.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>

                      </authentication>

                  </security-realm>

       

      i add a interface and a connector - all works fine.

       

      Now lets try with BouncyCastle Provider.

       

      BC (1.50on) comes with wildfy8.1, i updated this to BC 1.51on Version.

       

      also i add BC provider to JRE, by updating java.security:

       

      security.provider.1=sun.security.provider.Sun

      security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

      security.provider.3=sun.security.rsa.SunRsaSign

      security.provider.4=sun.security.ec.SunEC

      security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC

      security.provider.6=com.sun.crypto.provider.SunJCE

      security.provider.7=sun.security.jgss.SunProvider

      security.provider.8=com.sun.security.sasl.Provider

      security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI

      security.provider.10=sun.security.smartcardio.SunPCSC

       

      also you can see, I added BC to security.provider.5: to security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC

       

      1) Now first start of wildfly and an error occured:

       

      15:17:48,456 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017531: Host default-host starting

      15:17:48,466 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080

      15:17:49,145 INFO  [stdout] (MSC service thread 1-2) adding as trusted cert:

      15:17:49,150 INFO  [stdout] (MSC service thread 1-2)   Subject: CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0

      15:17:49,153 INFO  [stdout] (MSC service thread 1-2)   Issuer:  CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0

      15:17:49,154 INFO  [stdout] (MSC service thread 1-2)   Algorithm: EC; Serial number: 0x21286a2f3e8c6745

      15:17:49,166 INFO  [stdout] (MSC service thread 1-2)   Valid from Tue Sep 09 11:22:09 CEST 2014 until Fri Sep 09 11:22:09 CEST 2022

      15:17:49,172 INFO  [stdout] (MSC service thread 1-2)

      15:17:49,241 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-2) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments

      15:17:49,246 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service

              at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:90)

              at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:121)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

      Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BC

              at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) [jsse.jar:1.8.0_25]

              at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) [rt.jar:1.8.0_25]

              at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:122)

              at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:84)

              ... 6 more

      15:17:49,435 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]

       

      -> let say not Problem, i changed jks-Keystores to bks keystore (native BC keystore format)

       

      2) secound start:

      15:29:40,961 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080

      15:29:41,214 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service

              at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)

              at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

      Caused by: java.io.IOException: Invalid keystore format

              at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]

              at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]

              at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]

              at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)

              ... 6 more

       

       

      15:29:41,299 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015876: Starting deployment of "CertManagementService.war" (runtime-name: "CertManagementService.war")

      15:29:41,324 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments

      15:29:41,658 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: JBAS015229: Unable to start service

              at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)

              at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:107)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

      Caused by: java.io.IOException: Invalid keystore format

              at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]

              at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]

              at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]

              at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)

              ... 6 more

       

       

      15:29:42,081 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]

       

       

      it seems to be the undertow HTTP listener is not aware of changing Provider to BC - because now he gets trouble with bks-Stores.

       

       

      -->

      after changing 5. to security.provider.5=com.sun.net.ssl.internal.ssl.Provider

      so that no BC provider is used. i got expected problem while establish TLS - connection:

      16:03:47,877 INFO  [stdout] (default I/O-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

      16:03:47,882 INFO  [stdout] (default I/O-1) Compression Methods:  { 0 }

      16:03:47,884 INFO  [stdout] (default I/O-1) default I/O-1, fatal error: 80: problem unwrapping net record

      16:03:47,885 INFO  [stdout] (default I/O-1) java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available

      16:03:47,885 INFO  [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

      16:03:47,886 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 2

      16:03:47,887 INFO  [stdout] (default I/O-1) [Raw write]: length = 7

      16:03:47,888 INFO  [stdout] (default I/O-1) 0000: 15 03 03 00 02 02 50                               ......P

      16:03:47,889 INFO  [stdout] (default I/O-1) default I/O-1, called closeOutbound()

       

       

      I also tried to start patching sun provider to let him know BC-Curve parameter and so on, but at the moment it think it cant be that problem to use BC provider.

       

      Some ideas? - perhaps i started wrong way?

       

      Sascha