[jira] [Commented] (NIFI-14048) Ed25519 and RHEL 9 in FIPS Mode

Tue, 10 Dec 2024 09:51:21 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-14048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904594#comment-17904594
 ] 

Frank McArtor commented on NIFI-14048:
--------------------------------------

Good afternoon. As discussed in the Slack chat, we're in the process of 
upgrading from 1.25.0 to 1.27.0 to 2.0.0 and we've run into this issue when 
trying to start 2.0.0. We're running RHEL 9.4 in our Kubernetes containers and 
receiving this...

2024-12-05 17:00:25,266 ERROR [main] o.s.web.context.ContextLoader Context 
initialization failed org.springframework.beans.factory.BeanCreationException: 
Error creating bean with name 'keyGenerationCommand' defined in class path 
resource 
[org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.class]:
 Failed to instantiate 
[org.apache.nifi.web.security.jwt.key.command.KeyGenerationCommand]: Factory 
method 'keyGenerationCommand' threw exception with message: 
java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not 
availableCaused by: org.springframework.beans.BeanInstantiationException: 
Failed to instantiate 
[org.apache.nifi.web.security.jwt.key.command.KeyGenerationCommand]: Factory 
method 'keyGenerationCommand' threw exception with message: 
java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not available

> Ed25519 and RHEL 9 in FIPS Mode
> -------------------------------
>
>                 Key: NIFI-14048
>                 URL: https://issues.apache.org/jira/browse/NIFI-14048
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Security
>    Affects Versions: 2.0.0
>         Environment: On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will 
> not start since Ed25519 (and Ed448) signatures are disabled in the 
> system-wide FIPS crypto policy. We are unable to deviate from this crypto 
> policy.
>            Reporter: Angela E
>            Priority: Critical
>
> On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will not start since 
> Ed25519 (and Ed448) signatures are disabled in the system-wide FIPS crypto 
> policy. We are unable to deviate from this crypto policy.
>  
> JSON Web Token change in NiFi 2.0.0-M4 as referenced in:
>  
> https://issues.apache.org/jira/browse/NIFI-13424
>  
> When attempting to start, NiFi issues this exception:
>  
> Factory method 'keyGenerationCommand' threw exception with message: 
> java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not available
>  
> Recommending an optional setting in nifi.properties to allow the JWT to 
> revert to previous PS512 signatures. 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to