rwdj opened a new issue, #6246:
URL: https://github.com/apache/cloudstack/issues/6246
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
UI, more?
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
4.16
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
RHEL 8 FIPS compliant system
##### SUMMARY
<!-- Explain the problem/feature briefly -->
Cloudstack uses multiple instances of non-FIPS-compliant features. This
makes it impossible to work with in a FIPS compliant environment.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
On a FIPS compliant system, build as instructed in
https://docs.cloudstack.apache.org/en/latest/installguide/building_from_source.html:
~~~
$ mvn -P deps
~~~
On a FIPS compliant RHEL8 system, install and run
cloudstack-management.service.
~~~
[root@rwdj ~]# systemctl stop firewalld nftables
[root@rwdj ~]# systemctl start iptables
[root@rwdj ~]# dnf install cloudstack-management mysql-connector-java
[root@rwdj ~]# cloudstack-setup-databases cloud:<omitted>
--deploy-as=root:<omitted> -i 127.0.0.1
# See #6232 for why I do the next two steps
[root@rwdj ~]# chown :cloud /etc/cloudstack/management/key
[root@rwdj ~]# chmod 0640 /etc/cloudstack/management/key
[root@rwdj ~]# cloudstack-setup-management
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
Able to build or run cloudstack-management.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
<!-- Paste example playbooks or commands between quotes below -->
Build
~~~
$ mvn -P deps
[INFO] Running com.cloud.utils.testcase.NioTest
2022-04-11 13:55:28,671 INFO [utils.testcase.NioTest] (main:) Setting up
Benchmark Test
2022-04-11 13:55:28,695 INFO [utils.nio.NioServer] (main:) NioServer
started and listening on /0:0:0:0:0:0:0:0:41907
2022-04-11 13:55:28,714 DEBUG [utils.testcase.NioTest] (Time-limited test:)
0/2 tests done. Waiting for completion
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest]
(MaliciousNioClientHandler-2:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-1:)
Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-2:)
Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest]
(MaliciousNioClientHandler-1:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:29,715 DEBUG [utils.testcase.NioTest] (Time-limited test:)
0/2 tests done. Waiting for completion
2022-04-11 13:55:30,715 DEBUG [utils.testcase.NioTest] (Time-limited test:)
0/2 tests done. Waiting for completion
2022-04-11 13:55:31,716 DEBUG [utils.testcase.NioTest] (Time-limited test:)
0/2 tests done. Waiting for completion
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-2:) Failed
to load keystore, using trust all manager
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-1:) Failed
to load keystore, using trust all manager
2022-04-11 13:55:32,041 ERROR [utils.nio.Link]
(NioTestServer-NioConnectionHandler-1:) CA service is not configured,
by-passing CA manager to create SSL engine
2022-04-11 13:55:32,043 ERROR [utils.nio.NioConnection]
(NioClientHandler-1:) Unable to initialize the threads.
java.io.IOException: Failed to initialise security
at com.cloud.utils.nio.NioClient.init(NioClient.java:82)
at com.cloud.utils.nio.NioConnection.start(NioConnection.java:95)
at
com.cloud.utils.testcase.NioTest$ThreadedNioClient.run(NioTest.java:172)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE
TrustManagers may be used
at
java.base/sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:133)
at
java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:95)
at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297)
... 9 more
[...]
[INFO] Running com.cloud.utils.rest.HttpClientHelperTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
0.116 s <<< FAILURE! - in com.cloud.utils.rest.HttpClientHelperTest
[ERROR] testCreateClient(com.cloud.utils.rest.HttpClientHelperTest) Time
elapsed: 0.115 s <<< ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
may be used
at
com.cloud.utils.rest.HttpClientHelperTest.testCreateClient(HttpClientHelperTest.java:33)
[INFO] Running com.cloud.utils.rest.BasicRestClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
0.087 s <<< FAILURE! - in com.cloud.utils.rest.BasicRestClientTest
[ERROR] com.cloud.utils.rest.BasicRestClientTest Time elapsed: 0.087 s <<<
ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
may be used
at
com.cloud.utils.rest.BasicRestClientTest.setupClass(BasicRestClientTest.java:62)
~~~
Run.
~~~
INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null) (logid:)
Loading module context [system] from URL
[jar:file:/usr/share/cloudstack-management/lib/cloudstac
k-4.16.1.0.jar!/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml]
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1
(file:/usr/share/cloudstack-management/lib/cloudstack-4.16.1.0.jar) to method
java.lang.ClassLoa
der.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of
net.sf.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO [c.c.u.d.T.Transaction] (main:null) (logid:) Is Data Base High
Availiability enabled? Ans : false
WARN [c.c.u.d.T.Transaction] (main:null) (logid:) Unable to load db
configuration, using defaults with 5 connections. Falling back on assumed
datasource on localhost:
3306 using username:password=cloud:cloud. Please check your configuration
org.jasypt.exceptions.EncryptionInitializationException:
java.security.NoSuchAlgorithmException: PBEWithMD5AndDES SecretKeyFactory not
available
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:773)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.initialize(StandardPBEStringEncryptor.java:566)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:718)
at
org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)
at
org.jasypt.properties.EncryptableProperties.decode(EncryptableProperties.java:230)
at
org.jasypt.properties.EncryptableProperties.getProperty(EncryptableProperties.java:172)
at
com.cloud.utils.db.TransactionLegacy.initDataSource(TransactionLegacy.java:1034)
at
com.cloud.utils.db.TransactionLegacy.<clinit>(TransactionLegacy.java:1008)
at com.cloud.utils.db.Merovingian2.<init>(Merovingian2.java:68)
at
com.cloud.utils.db.Merovingian2.createLockController(Merovingian2.java:88)
at
com.cloud.server.LockControllerListener.<init>(LockControllerListener.java:33)
... more
Caused by: com.mysql.cj.exceptions.SSLParamsException: Cannot open file:NONE
[NONE (No such file or directory)]
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
... 90 more
Caused by: java.io.FileNotFoundException: NONE (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
... 90 more
~~~
Upon checking, I found
[utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81](https://github.com/apache/cloudstack/blob/4.16/utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81),
where PBEWithMD5AndDES is not FIPS compliant. I'm concerned there are also
other spots to check that I can't check because it doesn't build which brings
me to the extent of my knowledge.
FIPS compliance can be a stickler, because the core documentation isn't very
clear from what I can find. I use FIPS compliant machines, but I don't
configure them. Regarding PBEWithMD5AndDES, after a few searches, the most
clear documentation on approved algorithms I could find was this (which is out
of date with FIPS 140-3 existing, but probably still correct enough):
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
And additional resources that may prove useful:
https://github.com/jasypt/jasypt/blob/master/jasypt/src/main/java/org/jasypt/util/text/AES256TextEncryptor.java
https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html#cipher-algorithm-names
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
