[Geoserver-devel] [JIRA] (GEOS-10512) Default KeystoreProviderImpl type is not FIPS-compliant (JCEKS)

Wed, 25 May 2022 06:13:33 -0700 

Trae Yelovich ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=628e1f51f2261e00682a6d8b
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10512?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 ) GEOS-10512 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10512?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 ) Default KeystoreProviderImpl type is not FIPS-compliant (JCEKS) ( 
https://osgeo-org.atlassian.net/browse/GEOS-10512?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.18.6, 2.20.4, 2.21.0 Assignee: Unassigned 
Created: 25/May/22 3:12 PM Environment:

A FIPS-enabled Linux server w/ an OpenJDK 11 container (1.11)

Priority: High Reporter: Trae Yelovich ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=628e1f51f2261e00682a6d8b
 )

The default keystore type for KeystoreProviderImpl is JCEKS. During startup, 
GeoServer tries to create a blank JCEKS keystore, or load an existing one 
within the data directory. However, in FIPS environments, a 
NoSuchAlgorithmException is thrown as JCEKS is not available under FIPS. As a 
result, we cannot get GeoServer to finish booting as FIPS mode is required and 
GeoServer depends on JCEKS to continue execution.

We've considered creating a compatible keystore provider as a workaround and 
importing it somehow - But, extension documentation seems scarce, especially 
regarding a custom keystore provider.

Ideally, a FIPS-compatible algorithm as the default keystore type would solve 
this issue. Another potential alternative would be to allow the system to 
provide a keystore type as an environment variable, and then default to JCEKS 
if the variable doesn't exist.

( 
https://osgeo-org.atlassian.net/browse/GEOS-10512#add-comment?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10512#add-comment?atlOrigin=eyJpIjoiMDY2M2VmNGE3MDdjNDNkOGJjN2NlZWY2OGEwNjUzOTIiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100198- 
sha1:3aa2ccf )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to