[
https://issues.apache.org/jira/browse/NIFI-14048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901047#comment-17901047
]
Angela E commented on NIFI-14048:
---------------------------------
This is the stock FIPS Java crypto policy delivered with RHEL 9, with no
customization. Creating a custom policy which includes Ed25519 or simply
reverting the crypto policy to a default one but maintaining fips=1 in the
kernel arguments still fails. Removing fips=1 from the kernel would undo all
the other FIPS settings required by the DISA STIG, which is the governing
document.
Understand regarding FIPS 186-5. Red Hat released their 9.x line before FIPS
186-5 was finalized, so they may be unlikely to modify this crypto policy
before the next major release.
> Ed25519 and RHEL 9 in FIPS Mode
> -------------------------------
>
> Key: NIFI-14048
> URL: https://issues.apache.org/jira/browse/NIFI-14048
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Security
> Affects Versions: 2.0.0
> Environment: On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will
> not start since Ed25519 (and Ed448) signatures are disabled in the
> system-wide FIPS crypto policy. We are unable to deviate from this crypto
> policy.
> Reporter: Angela E
> Priority: Critical
>
> On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will not start since
> Ed25519 (and Ed448) signatures are disabled in the system-wide FIPS crypto
> policy. We are unable to deviate from this crypto policy.
>
> JSON Web Token change in NiFi 2.0.0-M4 as referenced in:
>
> https://issues.apache.org/jira/browse/NIFI-13424
>
> When attempting to start, NiFi issues this exception:
>
> Factory method 'keyGenerationCommand' threw exception with message:
> java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not available
>
> Recommending an optional setting in nifi.properties to allow the JWT to
> revert to previous PS512 signatures.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
