[jira] [Created] (ZOOKEEPER-5045) Unable to start in FIPS mode if Java common truststore is not specified

Fri, 01 May 2026 08:03:16 -0700 

Andor Molnar created ZOOKEEPER-5045:
---------------------------------------

             Summary: Unable to start in FIPS mode if Java common truststore is 
not specified
                 Key: ZOOKEEPER-5045
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5045
             Project: ZooKeeper
          Issue Type: Bug
          Components: server
            Reporter: Andor Molnar


ZooKeeper is unable to start in FIPS environment if Java common truststore 
parameters are not specified.

The error message:
{noformat}
java.io.IOException: BCFKS KeyStore corrupted: MAC calculation failed.
        at 
com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS$CCJKeyStoreSpi.verifyMac(Unknown
 Source)
        at 
com.safelogic.cryptocomply.fips.core/com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS$CCJKeyStoreSpi.engineLoad(Unknown
 Source)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at 
bctls/org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getDefaultTrustStore(ProvTrustManagerFactorySpi.java:112)
        at 
bctls/org.bouncycastle.jsse.provider.ProvSSLContextSpi.getDefaultTrustManagers(ProvSSLContextSpi.java:554)
        at 
bctls/org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(DefaultSSLContextSpi.java:65)
        at 
bctls/org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:113)
        at 
bctls/org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$8.createInstance(BouncyCastleJsseProvider.java:223)
        at 
bctls/org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:407)
        at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at 
java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
        at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185)
        at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110)
        at 
org.apache.zookeeper.common.X509Util.defaultTlsProtocol(X509Util.java:96)
        at org.apache.zookeeper.common.X509Util.<clinit>(X509Util.java:86)
        at 
org.apache.zookeeper.server.quorum.QuorumPeerConfig.configureSSLAuth(QuorumPeerConfig.java:504)
        at 
org.apache.zookeeper.server.quorum.QuorumPeerConfig.parseProperties(QuorumPeerConfig.java:456)
        at 
org.apache.zookeeper.server.quorum.QuorumPeerConfig.parse(QuorumPeerConfig.java:194)
        at 
org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:125)
        at 
org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:91){noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to