ci.docker: parseAlgParameters failed: PBES2 AlgorithmParameters not available on FIPS

Hello,

On an OCP 4.12 FIPS cluster, using ibmcom/websphere-liberty:22.0.0.13-kernel-java11-openj9-ubi

Following https://www.ibm.com/support/pages/fips-certified-cryptography-ibm-semeru-runtimes So, using the JVM options :

-Dsemeru.fips=true
-Djava.security.debug=semerufips
-Djavax.net.ssl.trustStore=NONE
-Djavax.net.ssl.trustStoreProvider=SunPKCS11-NSS-FIPS
-Djavax.net.ssl.keyStoreType=PKCS11
-Djavax.net.ssl.keyStore=NONE
-Djavax.net.ssl.keyStoreProvider=SunPKCS11-NSS-FIPS

The following error is generated :

[2/15/23, 10:55:24:652 CET] 00000027 WSKeyStore W CWPKI0809W: There is a failure loading the defaultKeyStore keystore. If an SSL configuration references the defaultKeyStore keystore, then the SSL configuration will fail to initialize.
[2/15/23, 10:55:24:652 CET] 00000027 WSKeyStore E CWPKI0033E: The keystore located at /opt/ibm/wlp/output/defaultServer/resources/security/key.p12 did not load because of the following error: parseAlgParameters failed: PBES2 AlgorithmParameters not available

I found https://access.redhat.com/solutions/6954451 which is talking about a keytool issue in FIPS mode : FIPS mode does not yet support password-based encryption. If you want to use password-based encryption, you must disable FIPS mode when running keytool. For example, you could disable FIPS mode for just the keytool process with the -Dcom.redhat.fips=false system property:

Assuming perhaps liberty startup is using keytool, I tried -Dcom.redhat.fips=false JVM option. But, it didn’t solve. Please, can you advise ?

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 16 (6 by maintainers)

Most upvoted comments

Sorry, I am not familiar with the new error: “No cipher list in common”

Most likely it’s unrelated to containers, so best looked at by the Liberty runtime/security folks. Suggest opening a support case and provide more details on when this occurs, server logs, etc

+1
leochr on Mar 30, 2023

No, that’s ok. thanks @leochr I tested the workaround and “parseAlgParameters failed: PBES2 AlgorithmParameters not available” is gone. I just wait for the validation as I still cannot have my apps available because of an other problem “No cipher list in common”. I still don’t know if the issue is on liberty and/or OCP side

+1
mmouly on Mar 22, 2023

Probably this script should be changed in case of FIPS : https://github.com/WASdev/ci.docker/blob/e0fb892e78c0951865ab6e10cf39f4a66a7ff96c/ga/23.0.0.1/kernel/helpers/runtime/docker-server.sh#L46

+1
lgrateau on Feb 17, 2023
Read more comments on GitHub
← Blurry: NullPointerException: Attempt to invoke virtual method 'void android.graphics.Bitmap.recycle()' on a null object reference
wasm-pack-plugin: Error compiling crate →