Dipesh Kumar Dutta created ZOOKEEPER-4393:
---------------------------------------------

             Summary: Problem to connect to zookeeper in FIPS mode
                 Key: ZOOKEEPER-4393
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
             Project: ZooKeeper
          Issue Type: Bug
            Reporter: Dipesh Kumar Dutta


In my environment zookeeper is running in fips mode of 3 node cluster. My 
service is also running in fips mode with security provider 
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

And from the my service when I am trying to connect to zookeeper I am getting 
the below error.
{code:java}
2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN  
io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to 
initialize a channel. Closing: [id: 0xa129ece9] -
org.apache.zookeeper.common.X509Exception$SSLContextException: 
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may 
be used
        at 
org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
        at 
org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
        at 
org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
{code}
The reason is the zookeeper has its own trust manager implementation which is 
{code:java}
public class ZKTrustManager extends X509ExtendedTrustManager
{code}
and jdk also provide a trust manager implementation as below.
{code:java}
X509TrustManagerImpl extends X509ExtendedTrustManager implements 
X509TrustManager
{code}
Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the 
below instance check become false and hence it falls to the exception block.
{code:java}
if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
    throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may 
be used");
}
{code}
 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to