[
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17719166#comment-17719166
]
Mate Szalay-Beko commented on ZOOKEEPER-4393:
---------------------------------------------
Strange...
if this code is executed
{code:java}
if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) { throw
new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may be used");
} {code}
and we can not reproduce the issue, then it means that `SunJSSE.isFIPS()` is
false in our tests, while for [~edipesh19] it is true. I wonder why...
btw, SunJSSE.isFIPS is set true here:
[https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/classes/sun/security/ssl/SunJSSE.java|https://github.com/frohoff/jdk8u-dev-jdk/blob/da0da73ab82ed714dc5be94acd2f0d00fbdfe2e9/src/share/classes/sun/security/ssl/SunJSSE.java#L117]
I wonder where this SunJSSE class is instantiated. Because it is called with
different constructor in your case than in our tests. (or maybe in our case, it
is not even set... isFIPS is checking a static Boolean and returns null when
uninitialized)
Maybe it would be good to see the whole stack-trace, [~edipesh19] , could you
share it? I see the last exception in ZK is thrown at this line:
[https://github.com/apache/zookeeper/blob/6401e4ad2087061bc6b9f80dec2d69f2e3c8660a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L386]
- but it would be good to see the whole "caused by" chain. Maybe SunJSSE class
is instantiated somewhere around that chain? I am really not familiar with
these code parts.
> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
> Key: ZOOKEEPER-4393
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.3
> Reporter: Dipesh Kumar Dutta
> Assignee: Andor Molnar
> Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My
> service is also running in fips mode with security provider
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException:
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
> may be used
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
> throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers
> may be used");
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
