When running the encrypt command on a Red Hat 8 OS with FIPS enabled the default secure random algorithm SHA1PNG is unavailable.
Version Info: ActiveMQ 5.18.3 Red Hat Enterprise Linux 8.6 Java openjdk version "17.0.9" Jasypt 1.9.3 The org.apache.activemq.console.command.EncryptCommand has logic to use the org.jasypt.iv.RandomIvGenerator which defaults the java.security.SecureRandom algorithm to "SHA1PNG". This algorithm is unavailable with FIPS mode enabled in the operating system. The RandomIvGenerator will allow an algorithm to be specified in the constructor, however the logic in the EncryptCommand does not supply that algorithm and seemingly does not provide any other means of supplying the algorithm, so the following error will occur and the encrypt command will fail: "Exception org.jasypt.exceptions.EncryptionInitializationException: java.security.NoSuchAlgorithmException: SHA1PRNG SecureRandom not available" In addition, the RandomIvGenerator uses the org.jasypt.salt.RandomSaltGenerator which also uses a hard coded DEFAULT_SECURE_RANDOM_ALGORITHM = "SHA1PRNG"; In may be possible to change the jasypt code to use the default SecureRandom algorithm provided by the JVM instead of the current default, however the following code modifications will use the "PKCS11" algorithm in the Encrypt command and will allow password encryption in FIPS mode. Source modifications demonstrate the issue and is applied to: https://github.com/apache/activemq/blob/main/activemq-console/src/main/java/org/apache/activemq/console/command/EncryptCommand.java#L74: [SecureRandom defaultRandom = new SecureRandom(); encryptor.setIvGenerator(new RandomIvGenerator(defaultRandom.getAlgorithm())); encryptor.setSaltGenerator(new RandomSaltGenerator(defaultRandom.getAlgorithm()));] Also note that the above-mentioned issue will prevent decrypting passwords. Thank you for any assistance, John Prillaman Disclaimer The information contained in this communication from john.prilla...@ultra-ats.com sent at 2023-12-05 19:42:30 is confidential and may be legally privileged. It is intended solely for use by users@activemq.apache.org and others authorized to receive it. If you are not users@activemq.apache.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
