Hello Dev,
Not sure if you would be able to help me, but I wanted to provide an update
on the effort to try to run NiFi in FIPS Mode using bouncycastle:
1. I installed the bouncycastle jar files in ./lib, and I can see them
load in bootstrap.conf
2. I modified java.security and java .policy for bouncycastle related
configuration changes (like adding the bouncycastle providers, and more)
3. My keystore and truststore for NiFi are converted to BCFKS, and I
can open them using keytool with specifying the provider info, password, etc
4. I have converted the default cacerts truststore from JKS to BCFKS
(which resolved the nifi error "o.b.jsse.provider.DefaultSSLContextSpi
Failed to load default trust managers java.io.IOException: DER length more
than 4 bytes: 109), and I have verified I can open with keytool with
specifying the needed info (provider, pwd, etc)
5. But now starting nifi, I get the error:
"o.b.jsse.provider.DefaultSSLContextSpi Failed to load default trust
managers java.io.IOException: BCFKS KeyStore corrupted: MAC calculation
failed (full error at the bottom of the email).
a. One note: when using keytool, this is the exact same error I get for
BCFKS stores if I get the password for the store wrong, or I don't include
it and it is required for the store.
b. I have verified that cacerts is BCFKS, and that its password is
"changeit".
c. Just to see if it would work, I have changed cacerts to the same
password as my NiFi keystore/truststore (same error).
Please help if you would like, any help is much appreciated!
2024-07-20 12:04:23,897 WARN [main] o.b.jsse.provider.DefaultSSLContextSpi
Failed to load default trust managers
java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.
at
org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.verifyMac(Unkno
wn Source)
at
org.bouncycastle.jcajce.provider.ProvBCFKS$BCFIPSKeyStoreSpi.engineLoad(Unkn
own Source)
at java.base/java.security.KeyStore.load(KeyStore.java:1500)
at
org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getDefaultTrustSto
re(ProvTrustManagerFactorySpi.java:112)
at
org.bouncycastle.jsse.provider.ProvSSLContextSpi.getDefaultTrustManagers(Pro
vSSLContextSpi.java:545)
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(De
faultSSLContextSpi.java:65)
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContext
Spi.java:113)
at
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$8.createInstance(Bou
ncyCastleJsseProvider.java:223)
at
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newIns
tance(BouncyCastleJsseProvider.java:407)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at
java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185)
at
java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110)
at
org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.j
ava:102)
at
org.apache.nifi.security.util.TlsPlatform.getDefaultSslContextProtocols(TlsP
latform.java:83)
at
org.apache.nifi.security.util.TlsPlatform.<clinit>(TlsPlatform.java:45)
at
org.apache.nifi.web.server.connector.FrameworkServerConnectorFactory.<init>(
FrameworkServerConnectorFactory.java:81)
at
org.apache.nifi.web.server.JettyServer.configureConnectors(JettyServer.java:
684)
at org.apache.nifi.web.server.JettyServer.init(JettyServer.java:210)
at
org.apache.nifi.web.server.JettyServer.initialize(JettyServer.java:1006)
at org.apache.nifi.NiFi.<init>(NiFi.java:164)
at org.apache.nifi.NiFi.<init>(NiFi.java:83)
at org.apache.nifi.NiFi.main(NiFi.java:332)
2024-07-20 12:04:23,900 ERROR [main] org.apache.nifi.web.server.JettyServer
Failed to start web server... shutting down.
java.lang.ExceptionInInitializerError: null
at
org.apache.nifi.web.server.connector.FrameworkServerConnectorFactory.<init>(
FrameworkServerConnectorFactory.java:81)
at
org.apache.nifi.web.server.JettyServer.configureConnectors(JettyServer.java:
684)
at org.apache.nifi.web.server.JettyServer.init(JettyServer.java:210)
at
org.apache.nifi.web.server.JettyServer.initialize(JettyServer.java:1006)
at org.apache.nifi.NiFi.<init>(NiFi.java:164)
at org.apache.nifi.NiFi.<init>(NiFi.java:83)
at org.apache.nifi.NiFi.main(NiFi.java:332)
Caused by: java.lang.RuntimeException: SSLContext.getDefault() Failed
at
org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.j
ava:104)
at
org.apache.nifi.security.util.TlsPlatform.getDefaultSslContextProtocols(TlsP
latform.java:83)
at
org.apache.nifi.security.util.TlsPlatform.<clinit>(TlsPlatform.java:45)
... 7 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: Unable to invoke creator
for DEFAULT: Default key/trust managers unavailable
at
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newIns
tance(BouncyCastleJsseProvider.java:422)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at
java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185)
at
java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110)
at
org.apache.nifi.security.util.TlsPlatform.getDefaultSslContext(TlsPlatform.j
ava:102)
... 9 common frames omitted
Caused by: java.security.KeyManagementException: Default key/trust managers
unavailable
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContext
Spi.java:115)
at
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$8.createInstance(Bou
ncyCastleJsseProvider.java:223)
at
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newIns
tance(BouncyCastleJsseProvider.java:407)
... 14 common frames omitted
Caused by: java.security.KeyManagementException: BCFKS KeyStore corrupted:
MAC calculation failed.
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi.avoidCapturingException(
DefaultSSLContextSpi.java:20)
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi.access$200(DefaultSSLCon
textSpi.java:13)
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(De
faultSSLContextSpi.java:88)
at
org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContext
Spi.java:113)
... 16 common frames omitted
Respectfully,
Will Mallett | ProVisus Solutions, LLC
office: 757-410-8820
<mailto:[email protected]> [email protected]
From: William Mallett
Sent: Thursday, July 18, 2024 7:32 PM
To: [email protected]
Subject: NiFi 2.0.0-M4 RHEL 9 FIPS mode
Hello Dev,
In the last 3 weeks, I have successfully set up NiFi on Non-FIPS RHEL 9 with
keystore/truststore using both PKCS12 and BCFKS, LDAPS to an Active
Directory Server, and using S2S with another instance as well.
Now I'm loading a third (standalone) node to get nifi running in RHEL 9 FIPS
mode (installed in FIPS, not converted). I grabbed the M4 nifi package
(can't wait to see dark mode). Originally I thought BCFKS would work using
the bcprov-jdk18on-1.78.1.jar like it did for me in M3 in Non-FIPS mode.
But upon nifi start I received the error in nifi-app.log
"Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:873)
at
org.apache.nifi.security.ssl.StandardKeyStoreBuilder.getKeyStore(StandardKey
StoreBuilder.java:108)
... 9 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not
available"
My thought is that bcprov-jdk18on-1.78.1.jar isn't the bouncycastle Java
FIPS jar, and so maybe RHEL 9 FIPS mode will not allow it to load? And if it
did, I'm not sure if it would be FIPS compliant.
I have downloaded the bouncycastle Java FIPS bc-fips-1.0.2.4.jar,
bcpkix-fips-1.0.7.jar, and bctls-fips-1.0.19.jar. I was thinking somehow
these might be able to be used, but I'm not sure how I would get nifi to use
them.
Although I'm a seasoned systems integrator, I'm fairly green on RHEL, very
green on Java, and have only used Nifi for a few weeks. I was hoping to get
your expertise on next steps. Many thanks for any assistance you might be
able to provide!
Respectfully,
Will Mallett | ProVisus Solutions, LLC
office: 757-410-8820
<mailto:[email protected]> [email protected]
smime.p7s
Description: S/MIME cryptographic signature
