Hi Will, Thanks for providing the stack trace associated with the Bouncy Castle FIPS configuration.
Enabling FIPS is a complex topic that impacts both the NiFi framework and individual extension components, so it usually requires vendor support for correct implementation. The particular stack trace points to a problem loading the default trust store, and the MAC calculation failure usually indicates a bad password. Any troubleshooting would require understanding the exact changes made to java.security and java.policy files. This configuration is outside of standard Apache NiFi deployments, and any changes to those files will have direct implications for the security of the installation. If you have any additional background on the intended use case for NiFi with FIPS support, that may be helpful to know. Regards, David Handermann On Sat, Jul 20, 2024 at 3:21 PM William Mallett < wmall...@provisus-solutions.com> wrote: > Hello Dev, > > > > Not sure if you would be able to help me, but I wanted to provide an > update on the effort to try to run NiFi in FIPS Mode using bouncycastle: > > > > 1. I installed the bouncycastle jar files in ./lib, and I can see them > load in bootstrap.conf > 2. I modified java.security and java .policy for bouncycastle related > configuration changes (like adding the bouncycastle providers, and more) > 3. My keystore and truststore for NiFi are converted to BCFKS, and I > can open them using keytool with specifying the provider info, password, > etc > 4. I have converted the default cacerts truststore from JKS to BCFKS > (which resolved the nifi error “o.b.jsse.provider.DefaultSSLContextSpi > Failed to load default trust managers java.io.IOException: DER length more > than 4 bytes: 109), and I have verified I can open with keytool with > specifying the needed info (provider, pwd, etc) > 5. But now starting nifi, I get the error: > “o.b.jsse.provider.DefaultSSLContextSpi Failed to load default trust > managers java.io.IOException: BCFKS KeyStore corrupted: MAC calculation > failed (full error at the bottom of the email). > 1. One note: when using keytool, this is the exact same error I get > for BCFKS stores if I get the password for the store wrong, or I don’t > include it and it is required for the store. > 2. I have verified that cacerts is BCFKS, and that its password is > “changeit”. > 3. Just to see if it would work, I have changed cacerts to the same > password as my NiFi keystore/truststore (same error). > > > > Please help if you would like, any help is much appreciated! > > > > > > 2024-07-20 12:04:23,897 WARN [main] o.b.jsse.provider.DefaultSSLContextSpi > Failed to load default trust managers > > java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed. > > at > org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.verifyMac(Unknown > Source) > > at > org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.engineLoad(Unknown > Source) > > at java.base/java.security.KeyStore.load(KeyStore.java:1500) > > at > org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getDefaultTrustStore(ProvTrustManagerFactorySpi.java:112) > > at > org.bouncycastle.jsse.provider.ProvSSLContextSpi.getDefaultTrustManagers(ProvSSLContextSpi.java:545) > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(DefaultSSLContextSpi.java:65) > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:113) > > at > org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$8.createInstance(BouncyCastleJsseProvider.java:223) > > at > org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:407) > > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236) > > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164) > > at > java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185) > > at > java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110) > > at > org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.java:102) > > at > org.apache.nifi.security.util.TlsPlatform.getDefaultSslContextProtocols(TlsPlatform.java:83) > > at > org.apache.nifi.security.util.TlsPlatform.<clinit>(TlsPlatform.java:45) > > at > org.apache.nifi.web.server.connector.FrameworkServerConnectorFactory.<init>(FrameworkServerConnectorFactory.java:81) > > at > org.apache.nifi.web.server.JettyServer.configureConnectors(JettyServer.java:684) > > at > org.apache.nifi.web.server.JettyServer.init(JettyServer.java:210) > > at > org.apache.nifi.web.server.JettyServer.initialize(JettyServer.java:1006) > > at org.apache.nifi.NiFi.<init>(NiFi.java:164) > > at org.apache.nifi.NiFi.<init>(NiFi.java:83) > > at org.apache.nifi.NiFi.main(NiFi.java:332) > > 2024-07-20 12:04:23,900 ERROR [main] > org.apache.nifi.web.server.JettyServer Failed to start web server... > shutting down. > > java.lang.ExceptionInInitializerError: null > > at > org.apache.nifi.web.server.connector.FrameworkServerConnectorFactory.<init>(FrameworkServerConnectorFactory.java:81) > > at > org.apache.nifi.web.server.JettyServer.configureConnectors(JettyServer.java:684) > > at > org.apache.nifi.web.server.JettyServer.init(JettyServer.java:210) > > at > org.apache.nifi.web.server.JettyServer.initialize(JettyServer.java:1006) > > at org.apache.nifi.NiFi.<init>(NiFi.java:164) > > at org.apache.nifi.NiFi.<init>(NiFi.java:83) > > at org.apache.nifi.NiFi.main(NiFi.java:332) > > Caused by: java.lang.RuntimeException: SSLContext.getDefault() Failed > > at > org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.java:104) > > at > org.apache.nifi.security.util.TlsPlatform.getDefaultSslContextProtocols(TlsPlatform.java:83) > > at > org.apache.nifi.security.util.TlsPlatform.<clinit>(TlsPlatform.java:45) > > ... 7 common frames omitted > > Caused by: java.security.NoSuchAlgorithmException: Unable to invoke > creator for DEFAULT: Default key/trust managers unavailable > > at > org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:422) > > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236) > > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164) > > at > java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185) > > at > java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110) > > at > org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.java:102) > > ... 9 common frames omitted > > Caused by: java.security.KeyManagementException: Default key/trust > managers unavailable > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:115) > > at > org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$8.createInstance(BouncyCastleJsseProvider.java:223) > > at > org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:407) > > ... 14 common frames omitted > > Caused by: java.security.KeyManagementException: BCFKS KeyStore corrupted: > MAC calculation failed. > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi.avoidCapturingException(DefaultSSLContextSpi.java:20) > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi.access$200(DefaultSSLContextSpi.java:13) > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(DefaultSSLContextSpi.java:88) > > at > org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:113) > > ... 16 common frames omitted > > > > > > Respectfully, > > Will Mallett | ProVisus Solutions, LLC > office: 757-410-8820 > > wmall...@provisus-solutions.com > > > > > > *From:* William Mallett > *Sent:* Thursday, July 18, 2024 7:32 PM > *To:* dev@nifi.apache.org > *Subject:* NiFi 2.0.0-M4 RHEL 9 FIPS mode > > > > Hello Dev, > > > > In the last 3 weeks, I have successfully set up NiFi on Non-FIPS RHEL 9 > with keystore/truststore using both PKCS12 and BCFKS, LDAPS to an Active > Directory Server, and using S2S with another instance as well. > > > > Now I’m loading a third (standalone) node to get nifi running in RHEL 9 > FIPS mode (installed in FIPS, not converted). I grabbed the M4 nifi package > (can’t wait to see dark mode). Originally I thought BCFKS would work using > the bcprov-jdk18on-1.78.1.jar like it did for me in M3 in Non-FIPS mode. > But upon nifi start I received the error in nifi-app.log > > > > “Caused by: java.security.KeyStoreException: BCFKS not found > > at java.base/java.security.KeyStore.getInstance(KeyStore.java:873) > > at > org.apache.nifi.security.ssl.StandardKeyStoreBuilder.getKeyStore(StandardKeyStoreBuilder.java:108) > > ... 9 common frames omitted > > Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not > available” > > > > My thought is that bcprov-jdk18on-1.78.1.jar isn’t the bouncycastle Java > FIPS jar, and so maybe RHEL 9 FIPS mode will not allow it to load? And if > it did, I’m not sure if it would be FIPS compliant. > > > > I have downloaded the bouncycastle Java FIPS bc-fips-1.0.2.4.jar, > bcpkix-fips-1.0.7.jar, and bctls-fips-1.0.19.jar. I was thinking somehow > these might be able to be used, but I’m not sure how I would get nifi to > use them. > > > > Although I’m a seasoned systems integrator, I’m fairly green on RHEL, very > green on Java, and have only used Nifi for a few weeks. I was hoping to > get your expertise on next steps. Many thanks for any assistance you might > be able to provide! > > > > Respectfully, > > Will Mallett | ProVisus Solutions, LLC > office: 757-410-8820 > > wmall...@provisus-solutions.com > > > > >
