[
https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712449#comment-17712449
]
Mate Szalay-Beko commented on ZOOKEEPER-4393:
---------------------------------------------
{quote}How do you run ZooKeeper in FIPS-mode? (which triggers the error)
{quote}
good question... I only tried it on proprietary distributions / ZooKeeper
versions in my previous workplace, where we had test systems and docker or AMI
images already configured with fips. But I never saw this particular error
message in our production environment back then. Of course, there are many
security configurations and it is likely that [~edipesh19] used a more strict
one than what we had. Dipesh, can you maybe share your security configs, if it
is not sensitive?
Btw, it would be nice to make a fips compliant docker image for zookeeper
testing. If it is possible... Or just give some pointers in the ZooKeeper
documentation.
> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
> Key: ZOOKEEPER-4393
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.3
> Reporter: Dipesh Kumar Dutta
> Assignee: Andor Molnar
> Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My
> service is also running in fips mode with security provider
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting
> the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN
> io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to
> initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException:
> java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers
> may be used
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> at
> org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> at
> org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements
> X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the
> below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
> throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers
> may be used");
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
