You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Nilendra Jain (Jira)" <ji...@apache.org> on 2022/01/20 09:43:00 UTC

[jira] [Commented] (ZOOKEEPER-4393) Problem to connect to zookeeper in FIPS mode

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479220#comment-17479220 ] 

Nilendra Jain commented on ZOOKEEPER-4393:
------------------------------------------

Hi,

 

Any updates on this issue. Even I am facing the same issue while using bc-fips jar in FIPS mode with Kafka and zookeeper. 

 

Please let me know, if there is a workaround available for this issue.

> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
>                 Key: ZOOKEEPER-4393
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.6.3
>            Reporter: Dipesh Kumar Dutta
>            Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My service is also running in fips mode with security provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN  io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> 	at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> 	at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> 	at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is 
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
>     throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may be used");
> }
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)