Hi,
We are seeing that Geoserver is failing to run in FIPS-enabled environments
when using the latest OpenJDK 11. I was wondering if anyone else had seen this,
I did not see any existing discussions.
Environment details: - Geoserver version: 2.20.0 - Execution environment:
Kubernetes pod using RHEL 8 ubi-minimal base image, running on RHEL 8 host OS
-> FIPS mode is enabled in this environment (fips-mode-setup --check returns
enabled state of FIPS on both the host OS and inside the container) - Java
distro/version: OpenJDK 11, version 11.0.14.0.9-2.el8_5.x86_64
Error specifics:When starting Geoserver, the following exception is seen, which
prevents the web context from starting up:
...Caused by:java.io.IOException: java.security.KeyStoreException: JCEKS not
found at
org.geoserver.security.KeyStoreProviderImpl.assertActivatedKeyStore(KeyStoreProviderImpl.java:237)
...
>From reading around (see some links below), it sounds as though this is due to
>OpenJDK's FIPS-enabled state preventing the use of an external keystore that
>is outside of the NSS software token, which Geoserver does in the
>KeyStoreProviderImpl, trying to build and use its own JCEKS keystore to
>support its runtime encryption operations.
https://github.com/keycloak/keycloak/issues/9916 and
https://github.com/keycloak/keycloak/issues/9967 (these are the Keycloak
project's issues that are related to the same underlying cause)
https://access.redhat.com/solutions/5696401 (gives workaround for running Java
apps that need cryptography in this environment, behind paywall but the process
is to set security.useSystemPropertiesFile=false in the java.security file of
the JVM installation)
https://github.com/openshift/origin-aggregated-logging/pull/2237 (a PR to let
elasticsearch run in such environments: again, disables FIPS mode in the JRE.
Results from bug https://issues.redhat.com/browse/LOG-1974 which has further
details in comments)
Has anyone else observed an issue like this? There is a workaround for running
Geoserver in this environment, but it amounts to disabling FIPS mode, and we
are interested in running Geoserver in FIPS mode for compliance reasons. Is
this target environment intended to be a supported runtime environment?
Thanks very much,Steve
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
