Dipesh Kumar Dutta created ZOOKEEPER-4393:
---------------------------------------------
Summary: Problem to connect to zookeeper in FIPS mode
Key: ZOOKEEPER-4393
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
Project: ZooKeeper
Issue Type: Bug
Reporter: Dipesh Kumar Dutta
In my environment zookeeper is running in fips mode of 3 node cluster. My
service is also running in fips mode with security provider
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
And from the my service when I am trying to connect to zookeeper I am getting
the below error.
{code:java}
2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN
io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to
initialize a channel. Closing: [id: 0xa129ece9] -
org.apache.zookeeper.common.X509Exception$SSLContextException:
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may
be used
at
org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
at
org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
at
org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
{code}
The reason is the zookeeper has its own trust manager implementation which is
{code:java}
public class ZKTrustManager extends X509ExtendedTrustManager
{code}
and jdk also provide a trust manager implementation as below.
{code:java}
X509TrustManagerImpl extends X509ExtendedTrustManager implements
X509TrustManager
{code}
Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the
below instance check become false and hence it falls to the exception block.
{code:java}
if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may
be used");
}
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
