Nexus application working/co-existing with RedHat with FIPS (Federal Information Processing Standard) enabled.

Problem
Currently if FIPS is enabled on a RedHat 8 host system, OpenJDK 8 can struggle to start.
An example of logging (nexus.log) can look alike the following:

2021-06-28 23:01:33,974+0000 ERROR [FelixStartLevel] *SYSTEM org.sonatype.nexus.internal.node.LocalNodeAccess - Failed transition: NEW -> STARTED
org.sonatype.nexus.ssl.KeystoreException: Unable to retrieve key manager in keystore 'private.ks' for alias 'identity'
at org.sonatype.nexus.ssl.internal.geronimo.FileKeystoreInstance.getKeyManager(FileKeystoreInstance.java:261)
at org.sonatype.nexus.ssl.KeyStoreManagerImpl.getKeyManagers(KeyStoreManagerImpl.java:249)
at org.sonatype.nexus.ssl.KeyStoreManagerImpl.generateAndStoreKeyPair(KeyStoreManagerImpl.java:376)
at org.sonatype.nexus.internal.node.LocalNodeAccess.doStart(LocalNodeAccess.java:73)
at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:193)
at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:57)
at org.sonatype.nexus.internal.node.NodeAccessBooter.start(NodeAccessBooter.java:48)
at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:199)
at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:111)
at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:319)
at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:216)
at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1597)
at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider SunPKCS11-NSS-FIPS
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.sonatype.nexus.ssl.internal.geronimo.FileKeystoreInstance.getKeyManager(FileKeystoreInstance.java:256)
...

 

Solution
There are a couple of ways to get Nexus to start-up correctly without having to alter key-store formats (which may have other/un-tested implications).

1. Edit the JDKS ~/lib/security/java.security file and set security.useSystemPropertiesFile to 'false'
["When set to false, both the global FIPS and the crypto-policies alignment are disabled. By
default, it is set to true"]

 

2. Pass the following option to the JDK -Djava.security.disableSystemPropertiesFile=true.
["When set to true, both the global FIPS and the crypto-policies alignment are disabled;
generating the same effect than a security.useSystemPropertiesFile=false security
property. If both properties are set to different behaviors,
java.security.disableSystemPropertiesFile overrides."]

 

3. Pass the following option to the JDK -Dcom.redhat.fips=false
["When set to false, disables the FIPS alignment while still applying the global crypto-policies.
If any of the previous properties is set to disable the crypto-policies alignment, this property
has no effect. In other words, crypto-policies is a prerequisite for FIPS alignment"]

 

Refs:
https://access.redhat.com/documentation/en-us/openjdk/8/pdf/configuring_openjdk_8_on_rhel_with_fips/OpenJDK-8-Configuring_OpenJDK_8_on_RHEL_with_FIPS-en-US.pdf

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.