You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Nilendra Jain (Jira)" <ji...@apache.org> on 2022/01/20 09:43:00 UTC
[jira] [Commented] (ZOOKEEPER-4393) Problem to connect to zookeeper in FIPS mode
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479220#comment-17479220 ]
Nilendra Jain commented on ZOOKEEPER-4393:
------------------------------------------
Hi,
Any updates on this issue. Even I am facing the same issue while using bc-fips jar in FIPS mode with Kafka and zookeeper.
Please let me know, if there is a workaround available for this issue.
> Problem to connect to zookeeper in FIPS mode
> --------------------------------------------
>
> Key: ZOOKEEPER-4393
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4393
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.3
> Reporter: Dipesh Kumar Dutta
> Priority: Major
>
> In my environment zookeeper is running in fips mode of 3 node cluster. My service is also running in fips mode with security provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> And from the my service when I am trying to connect to zookeeper I am getting the below error.
> {code:java}
> 2021-10-06 17:14:52,645 [nioEventLoopGroup-5-1] WARN io.netty.channel.ChannelInitializer - opc.request.id=none - Failed to initialize a channel. Closing: [id: 0xa129ece9] -
> org.apache.zookeeper.common.X509Exception$SSLContextException: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
> at org.apache.zookeeper.common.X509Util.createSSLContextAndOptionsFromConfig(X509Util.java:386)
> at org.apache.zookeeper.common.X509Util.createSSLContextAndOptions(X509Util.java:328)
> at org.apache.zookeeper.common.X509Util.createSSLContext(X509Util.java:256)
> {code}
> The reason is the zookeeper has its own trust manager implementation which is
> {code:java}
> public class ZKTrustManager extends X509ExtendedTrustManager
> {code}
> and jdk also provide a trust manager implementation as below.
> {code:java}
> X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager
> {code}
> Because of this hierarchy in SSLContextImpl::chooseTrustManager() method the below instance check become false and hence it falls to the exception block.
> {code:java}
> if (SunJSSE.isFIPS() && !(var1[var2] instanceof X509TrustManagerImpl)) {
> throw new KeyManagementException("FIPS mode: only SunJSSE TrustManagers may be used");
> }
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)