Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] Cannot load security plugin under 8FIPS #37682

Closed
costin opened this issue Jan 22, 2019 · 2 comments
Closed

[CI] Cannot load security plugin under 8FIPS #37682

costin opened this issue Jan 22, 2019 · 2 comments
Assignees
@jkakavas
Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI

Comments

@costin
Copy link
Member

costin commented Jan 22, 2019

org.elasticsearch.xpack.security.LocalStateSecurity cannot be loaded due to FIPS mode:

Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BCFIPS
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+matrix-java-periodic/ES_BUILD_JAVA=java11,ES_RUNTIME_JAVA=java8fips,nodes=virtual&&linux/195/console
@costin costin added >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Jan 22, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas
Copy link
Member

This fails because #36846 added a JKS keystore to be used as a keystore in the node settings.

@jkakavas jkakavas self-assigned this Jan 22, 2019
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Jan 22, 2019
@jkakavas
Use PEM files for PkiOptionalClientAuthTests
e060ac6 
Use PEM files for the key material for TLS on the http layer of the
node instead of a JKS keystore so that the tests can run in a FIPS
140 JVM also.

Resolves:  elastic#37682
@jkakavas jkakavas mentioned this issue Jan 22, 2019
Merged
jkakavas added a commit that referenced this issue Jan 22, 2019
@jkakavas
Use PEM files for PkiOptionalClientAuthTests (#37683)
5c1a1f7 
Use PEM files for the key/cert for TLS on the http layer of the
node instead of a JKS keystore so that the tests can also run
in a FIPS 140 JVM .

Resolves: #37682
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
:Security/Security Security issues without another label >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@costin @jkakavas @elasticmachine