Dipesh Kumar Dutta created ZOOKEEPER-4393: ---------------------------------------------
Summary: Problem to connect to zookeeper in FIPS mode Key: ZOOKEEPER-4393 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393 Project: ZooKeeper Issue Type: Bug Reporter: Dipesh Kumar Dutta In my environment zookeeper is running in fips mode of 3 node cluster. My service is also running in fips mode with security provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider And from the my service when I am trying to connect to zookeeper I am getting the below error. {code:java} 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to initialize a channel. Closing: [id: 0xa129ece9] - org.apache.zookeeper.common.X509Exception$SSLContextException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386) at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328) at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256) {code} The reason is the zookeeper has its own trust manager implementation which is {code:java} public class ZKTrustManager extends X509ExtendedTrustManager {code} and jdk also provide a trust manager implementation as below. {code:java} X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager {code} Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the below instance check become false and hence it falls to the exception block. {code:java} if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) { throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may be used"); } {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)