Skip to content

Standardization of FIPS Java config with ES #17839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jul 31, 2025
Merged

Standardization of FIPS Java config with ES #17839

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
702a0c0
Remove unused java.policy file
donoghuc Jul 17, 2025
73df669
Harmonize entropy source with ES
donoghuc Jul 17, 2025
f3b0afb
Make capitalization consistent
donoghuc Jul 17, 2025
c016776
Change numbering for provider config
donoghuc Jul 17, 2025
45a6b9b
Standardize default trust store conversion with ES
donoghuc Jul 17, 2025
6740c50
Actually install java-cacerts
donoghuc Jul 17, 2025
95a0823
Avoid error linking when dir exists
donoghuc Jul 17, 2025
185fb04
When java is already installed apk-add java-cacerts already does the …
donoghuc Jul 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 5 additions & 19 deletions docker/templates/Dockerfile.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ RUN \
<%= package_manager %> install -y which shadow-utils && \
<%= package_manager %> clean all
<% else -%><%# 'wolfi', 'observability-sre' -%>
<%= package_manager %> add --no-cache curl bash openssl
<%= package_manager %> add --no-cache java-cacerts curl bash openssl
<% end -%>

# Provide a non-root user to run the process
Expand Down Expand Up @@ -112,27 +112,18 @@ RUN mkdir -p /usr/share/logstash/config/security

# Copy JVM security configuration files from the unpacked tarball
RUN cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.security /usr/share/logstash/config/security/ && \
cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.policy /usr/share/logstash/config/security/ && \
chown --recursive logstash:root /usr/share/logstash/config/security/

# list the classes provided by the fips BC
RUN find /usr/share/logstash -name *.jar | grep lib

# Convert JKS to BCFKS for truststore and keystore
RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
-srckeystore /usr/share/logstash/jdk/lib/security/cacerts \
-destkeystore /usr/share/logstash/config/security/cacerts.bcfks \
-srcstoretype jks \
-deststoretype bcfks \
-providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-deststorepass changeit \
-srcstorepass changeit \
-noprompt
# Update certs installed from java-cacerts package
RUN ln -sf /etc/ssl/certs/java/cacerts /usr/share/logstash/jdk/lib/security/cacerts

# Convert JKS to BCFKS for truststore
RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
-srckeystore /usr/share/logstash/jdk/lib/security/cacerts \
-destkeystore /usr/share/logstash/config/security/keystore.bcfks \
-destkeystore /usr/share/logstash/config/security/cacerts.bcfks \
-srcstoretype jks \
-deststoretype bcfks \
-providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
Expand All @@ -144,11 +135,6 @@ RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
# Set Java security properties through LS_JAVA_OPTS
ENV LS_JAVA_OPTS="\
-Djava.security.properties=/usr/share/logstash/config/security/java.security \
-Djava.security.policy=/usr/share/logstash/config/security/java.policy \
-Djavax.net.ssl.keyStore=/usr/share/logstash/config/security/keystore.bcfks \
-Djavax.net.ssl.keyStoreType=BCFKS \
-Djavax.net.ssl.keyStoreProvider=BCFIPS \
-Djavax.net.ssl.keyStorePassword=changeit \
-Djavax.net.ssl.trustStore=/usr/share/logstash/config/security/cacerts.bcfks \
-Djavax.net.ssl.trustStoreType=BCFKS \
-Djavax.net.ssl.trustStoreProvider=BCFIPS \
Expand Down
21 changes: 0 additions & 21 deletions x-pack/distributions/internal/observabilitySRE/config/security/java.policy
View file
Open in desktop

This file was deleted.

12 changes: 3 additions & 9 deletions x-pack/distributions/internal/observabilitySRE/config/security/java.security
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,15 @@
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.11=-BC
security.provider.4=-BC

securerandom.source=file:/dev/random
securerandom.source=file:/dev/urandom
securerandom.strongAlgorithms=NativePRNGBlocking:SUN,DRBG:SUN
securerandom.drbg.config=

login.configuration.provider=sun.security.provider.ConfigFile

policy.provider=sun.security.provider.PolicyFile
policy.url.1=file:/etc/java/security/java.policy
policy.expandProperties=true
policy.allowSystemProperty=true
policy.ignoreIdentityScope=false

keystore.type=bcfks
keystore.type=BCFKS
keystore.type.compat=true

package.access=sun.misc.,\
Expand Down
24 changes: 4 additions & 20 deletions x-pack/distributions/internal/observabilitySRE/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@ FROM docker.elastic.co/wolfi/chainguard-base-fips:latest
RUN addgroup -g 1002 logstash && \
adduser -S -h /home/logstash -s /bin/bash -u 1002 -G logstash logstash

# Install OpenJDK 21
# Install
RUN apk add --no-cache \
openjdk-21 \
bash \
git \
curl \
make \
# CODEREVIEW: I think make, gcc and glibc-dev are all in build-base package if we want that
gcc \
java-cacerts \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewer note:

When building actual artifacts (not relying on first installing jdk) https://github.com/elastic/logstash/pull/17839/files#diff-9ecee4391e8c9d8f8f79230e3bf688cfe285f2452a70c070b8eb10868ab98cf9R121 we set up an explicit symlink.

In this dockerfile for setting up testing env we dont need to because it is created when java-cacerts is installed:

bash-5.3# apk add --no-cache java-cacerts
fetch https://virtualapk.cgr.dev/6b3f08c31afeab18043305daebd64cf18e682273/sha256:e4c9ae0b40e5ed1cbc9385cc4fef0d20293ce84f1b3e38a4f205fcd0834b8a2e/chainguard/aarch64/APKINDEX.tar.gz
fetch https://virtualapk.cgr.dev/6b3f08c31afeab18043305daebd64cf18e682273/sha256:e4c9ae0b40e5ed1cbc9385cc4fef0d20293ce84f1b3e38a4f205fcd0834b8a2e/extra-packages/aarch64/APKINDEX.tar.gz
OK: 885 MiB in 91 packages
bash-5.3# ls -la $JAVA_HOME/lib/security/cacerts
lrwxrwxrwx    1 root     root            27 Jul 17 18:49 /usr/lib/jvm/java-21-openjdk/lib/security/cacerts -> /etc/ssl/certs/java/cacerts

glibc-dev \
openssl

Expand All @@ -24,9 +24,8 @@ RUN mkdir -p /etc/java/security && \
chown -R logstash:logstash /home/logstash/.gradle && \
chown -R logstash:logstash /etc/java/security

# Copy JVM configuration files: TODO manage these consistently
# Copy JVM configuration files:
COPY --chown=logstash:logstash x-pack/distributions/internal/observabilitySRE/config/security/java.security /etc/java/security/
COPY --chown=logstash:logstash x-pack/distributions/internal/observabilitySRE/config/security/java.policy /etc/java/security/

# Create and set ownership of working directory
WORKDIR /logstash
Expand All @@ -45,7 +44,7 @@ ENV PATH="${JAVA_HOME}/bin:${PATH}"
# Initial build using JKS truststore
RUN ./gradlew clean bootstrap assemble installDefaultGems -PfedrampHighMode=true

# Convert JKS to BCFKS for truststore and keystore
# Convert JKS to BCFKS for truststore
RUN keytool -importkeystore \
-srckeystore $JAVA_HOME/lib/security/cacerts \
-destkeystore /etc/java/security/cacerts.bcfks \
Expand All @@ -57,27 +56,12 @@ RUN keytool -importkeystore \
-srcstorepass changeit \
-noprompt

RUN keytool -importkeystore \
-srckeystore $JAVA_HOME/lib/security/cacerts \
-destkeystore /etc/java/security/keystore.bcfks \
-srcstoretype jks \
-deststoretype bcfks \
-providerpath /logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-deststorepass changeit \
-srcstorepass changeit \
-noprompt

ENV JAVA_SECURITY_PROPERTIES=/etc/java/security/java.security
ENV LS_JAVA_OPTS="\
-Dio.netty.ssl.provider=JDK \
# Enable debug logging for ensuring BCFIPS is being used if needed
# -Djava.security.debug=ssl,provider,certpath \
-Djava.security.properties=${JAVA_SECURITY_PROPERTIES} \
-Djavax.net.ssl.keyStore=/etc/java/security/keystore.bcfks \
-Djavax.net.ssl.keyStoreType=BCFKS \
-Djavax.net.ssl.keyStoreProvider=BCFIPS \
-Djavax.net.ssl.keyStorePassword=changeit \
-Djavax.net.ssl.trustStore=/etc/java/security/cacerts.bcfks \
-Djavax.net.ssl.trustStoreType=BCFKS \
-Djavax.net.ssl.trustStoreProvider=BCFIPS \
Expand Down