You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2022/04/11 19:01:02 UTC
[GitHub] [cloudstack] rwdj opened a new issue, #6246: Cloudstack is not FIPS compliant
rwdj opened a new issue, #6246:
URL: https://github.com/apache/cloudstack/issues/6246
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
UI, more?
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main branch.
-->
~~~
4.16
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
RHEL 8 FIPS compliant system
##### SUMMARY
<!-- Explain the problem/feature briefly -->
Cloudstack uses multiple instances of non-FIPS-compliant features. This makes it impossible to work with in a FIPS compliant environment.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
On a FIPS compliant system, build as instructed in https://docs.cloudstack.apache.org/en/latest/installguide/building_from_source.html:
~~~
$ mvn -P deps
~~~
On a FIPS compliant RHEL8 system, install and run cloudstack-management.service.
~~~
[root@rwdj ~]# systemctl stop firewalld nftables
[root@rwdj ~]# systemctl start iptables
[root@rwdj ~]# dnf install cloudstack-management mysql-connector-java
[root@rwdj ~]# cloudstack-setup-databases cloud:<omitted> --deploy-as=root:<omitted> -i 127.0.0.1
# See #6232 for why I do the next two steps
[root@rwdj ~]# chown :cloud /etc/cloudstack/management/key
[root@rwdj ~]# chmod 0640 /etc/cloudstack/management/key
[root@rwdj ~]# cloudstack-setup-management
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
Able to build or run cloudstack-management.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
<!-- Paste example playbooks or commands between quotes below -->
Build
~~~
$ mvn -P deps
[INFO] Running com.cloud.utils.testcase.NioTest
2022-04-11 13:55:28,671 INFO [utils.testcase.NioTest] (main:) Setting up Benchmark Test
2022-04-11 13:55:28,695 INFO [utils.nio.NioServer] (main:) NioServer started and listening on /0:0:0:0:0:0:0:0:41907
2022-04-11 13:55:28,714 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest] (MaliciousNioClientHandler-2:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-1:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-2:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest] (MaliciousNioClientHandler-1:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:29,715 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:30,715 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:31,716 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-2:) Failed to load keystore, using trust all manager
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-1:) Failed to load keystore, using trust all manager
2022-04-11 13:55:32,041 ERROR [utils.nio.Link] (NioTestServer-NioConnectionHandler-1:) CA service is not configured, by-passing CA manager to create SSL engine
2022-04-11 13:55:32,043 ERROR [utils.nio.NioConnection] (NioClientHandler-1:) Unable to initialize the threads.
java.io.IOException: Failed to initialise security
at com.cloud.utils.nio.NioClient.init(NioClient.java:82)
at com.cloud.utils.nio.NioConnection.start(NioConnection.java:95)
at com.cloud.utils.testcase.NioTest$ThreadedNioClient.run(NioTest.java:172)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at java.base/sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:133)
at java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:95)
at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297)
... 9 more
[...]
[INFO] Running com.cloud.utils.rest.HttpClientHelperTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.116 s <<< FAILURE! - in com.cloud.utils.rest.HttpClientHelperTest
[ERROR] testCreateClient(com.cloud.utils.rest.HttpClientHelperTest) Time elapsed: 0.115 s <<< ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at com.cloud.utils.rest.HttpClientHelperTest.testCreateClient(HttpClientHelperTest.java:33)
[INFO] Running com.cloud.utils.rest.BasicRestClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.087 s <<< FAILURE! - in com.cloud.utils.rest.BasicRestClientTest
[ERROR] com.cloud.utils.rest.BasicRestClientTest Time elapsed: 0.087 s <<< ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at com.cloud.utils.rest.BasicRestClientTest.setupClass(BasicRestClientTest.java:62)
~~~
Run.
~~~
INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null) (logid:) Loading module context [system] from URL [jar:file:/usr/share/cloudstack-management/lib/cloudstac
k-4.16.1.0.jar!/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml]
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/usr/share/cloudstack-management/lib/cloudstack-4.16.1.0.jar) to method java.lang.ClassLoa
der.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO [c.c.u.d.T.Transaction] (main:null) (logid:) Is Data Base High Availiability enabled? Ans : false
WARN [c.c.u.d.T.Transaction] (main:null) (logid:) Unable to load db configuration, using defaults with 5 connections. Falling back on assumed datasource on localhost:
3306 using username:password=cloud:cloud. Please check your configuration
org.jasypt.exceptions.EncryptionInitializationException: java.security.NoSuchAlgorithmException: PBEWithMD5AndDES SecretKeyFactory not available
at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:773)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.initialize(StandardPBEStringEncryptor.java:566)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:718)
at org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)
at org.jasypt.properties.EncryptableProperties.decode(EncryptableProperties.java:230)
at org.jasypt.properties.EncryptableProperties.getProperty(EncryptableProperties.java:172)
at com.cloud.utils.db.TransactionLegacy.initDataSource(TransactionLegacy.java:1034)
at com.cloud.utils.db.TransactionLegacy.<clinit>(TransactionLegacy.java:1008)
at com.cloud.utils.db.Merovingian2.<init>(Merovingian2.java:68)
at com.cloud.utils.db.Merovingian2.createLockController(Merovingian2.java:88)
at com.cloud.server.LockControllerListener.<init>(LockControllerListener.java:33)
... more
Caused by: com.mysql.cj.exceptions.SSLParamsException: Cannot open file:NONE [NONE (No such file or directory)]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
... 90 more
Caused by: java.io.FileNotFoundException: NONE (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
... 90 more
~~~
Upon checking, I found [utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81](https://github.com/apache/cloudstack/blob/4.16/utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81), where PBEWithMD5AndDES is not FIPS compliant. I'm concerned there are also other spots to check that I can't check because it doesn't build which brings me to the extent of my knowledge.
FIPS compliance can be a stickler, because the core documentation isn't very clear from what I can find. I use FIPS compliant machines, but I don't configure them. Regarding PBEWithMD5AndDES, after a few searches, the most clear documentation on approved algorithms I could find was this (which is out of date with FIPS 140-3 existing, but probably still correct enough): https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
And additional resources that may prove useful:
https://github.com/jasypt/jasypt/blob/master/jasypt/src/main/java/org/jasypt/util/text/AES256TextEncryptor.java
https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html#cipher-algorithm-names
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rwdj commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1096799241
@weizhouapache, no, #6232 is mostly unrelated.
/etc/cloudstack/management/db.properties isn't missing. Although I noticed those lines in the error as well. But it also doesn't compile.
~~~
[root@rwdj ~]# su - cloud -c 'ls -l /etc/cloudstack/management/db.properties'
-rw-r-----. 1 root cloud 3248 Apr 12 09:53 /etc/cloudstack/management/db.properties
~~~
It was generated appropriately from:
~~~
[root@rwdj ~]# cloudstack-setup-databases cloud:<omitted> --deploy-as=root:<omitted> -i 127.0.0.1
Mysql user name:cloud [ OK ]
Mysql user password:****** [ OK ]
Mysql server ip:localhost [ OK ]
Mysql server port:3306 [ OK ]
Mysql root user name:root [ OK ]
Mysql root user password:****** [ OK ]
Using specified cluster management server node IP 127.0.0.1 [ OK ]
Checking Cloud database files ... [ OK ]
Checking local machine hostname ... [ OK ]
Checking SELinux setup ... [ OK ]
Preparing /etc/cloudstack/management/db.properties [ OK ]
Applying /usr/share/cloudstack-management/setup/create-database.sql [ OK ]
Applying /usr/share/cloudstack-management/setup/create-schema.sql [ OK ]
Applying /usr/share/cloudstack-management/setup/create-database-premium.sql [ OK ]
Applying /usr/share/cloudstack-management/setup/create-schema-premium.sql [ OK ]
Applying /usr/share/cloudstack-management/setup/server-setup.sql [ OK ]
Applying /usr/share/cloudstack-management/setup/templates.sql [ OK ]
Processing encryption ... [ OK ]
Finalizing setup ... [ OK ]
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rwdj commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1096836700
A general rule of thumb: if the word "MD5" is ever mentioned at any point, then you'll run into a FIPS issue. FIPS machines aren't able to use MD5 at all. Based on the stacktrace, Java looks to me like it's trying to find files relating to MD5 and they aren't found because Java is running in FIPS-mode. The missing file NONE should be the mentioned "SecretKeyFactory" for PBEWithMD5AndDES, but I'm unaware of the technical details of Java's cipher algorithms.
~~~
[rwdj@rwdj ~]$ openssl md5
Error setting digest
140235974117184:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
~~~
And then there's the issue where it won't compile, flat out refusing on the tests due to FIPS being enabled.
FIPS is a Category 1 (almost no exceptions given) specification of DISA's [Security Technical Implementation Guides](https://public.cyber.mil/stigs/): https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/finding/V-230223
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Cloudstack is not FIPS compliant [cloudstack]
Posted by "weizhouapache (via GitHub)" <gi...@apache.org>.
weizhouapache commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1928942152
> @rohityadavcloud , do you know when FIPS changes are coming ?
@sonipl
in the past releases, we have implemented a lot of security improvements.
For backwards compatibility, some insecure algorithms are still supported (but not default).
if possible, can you check and share a list of non-FIPS-compliant code/features in CloudStack ? cc @rwdj @sonipl
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Cloudstack is not FIPS compliant [cloudstack]
Posted by "sonipl (via GitHub)" <gi...@apache.org>.
sonipl commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1928852778
@rohityadavcloud , do you know when FIPS changes are coming ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rwdj commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1098155992
Regarding additional steps, it would be most of the [Red Hat Enterprise Linux 8 Security Technical Implementation Guide](https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2021-12-03/), but that's _probably_ too much. Checking full STIG compliance for a system takes way too long for this purpose.
The document https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening describes enabling FIPS. In general, it's just making sure the system has fips=1 in the kernel parameters during installation/initialization. And then you can use `fips-mode-setup --check` to verify it worked (which is not the same way it was done in RHEL7, by the way).
Alternatively, an existing system can be made FIPS compliant with as described [here](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies), but it's not recommended by Red Hat. I believe there are a number of things done during initialization that are less complex to do during initialization, but that's only my guess.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rohityadavcloud commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rohityadavcloud commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1097693033
Thanks for reporting @rwdj, can you advise how to setup a FIPS complaint EL8 mgmt/KVM host? That is what additional steps were taken before you deployed CloudStack on it, maybe there's a common document that describe this process?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Cloudstack is not FIPS compliant [cloudstack]
Posted by "weizhouapache (via GitHub)" <gi...@apache.org>.
weizhouapache commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1935862727
#7003
New encryptor based on AesGcmJce, which replaced PBEWithMD5AndDes (which is not FIPS-compliant)
#8549
use ed25519 instead of rsa when generate public/private keys
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rwdj commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1098224355
Alternatively, here's documentation for an Ubuntu FIPS environment: https://ubuntu.com/security/certifications/docs/fips-enablement
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1096314776
@rwdj
is this a update of #6232 ?
it looks the db configuration file `/etc/cloudstack/management/db.properties` is missing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rwdj commented on issue #6246: Cloudstack is not FIPS compliant
Posted by GitBox <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-1126795144
See this page on automated DISA STIG full compliance (including FIPS): https://ubuntu.com/security/disa-stig
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] Cloudstack is not FIPS compliant [cloudstack]
Posted by "rwdj (via GitHub)" <gi...@apache.org>.
rwdj commented on issue #6246:
URL: https://github.com/apache/cloudstack/issues/6246#issuecomment-2054107409
#7003 sounds nice.
#8719 addresses what I was about to mention about #8549.
I'll setup a couple of fresh FIPS-compliant RHEL machines and see what shakes out. Thanks for the hard work!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org