[Geoserver-devel] [JIRA] (GEOS-10512) Default KeystoreProviderImpl type is not FIPS-compliant (JCEKS)

Trae Yelovich created an issue

GeoServer / BugGEOS-10512

Default KeystoreProviderImpl type is not FIPS-compliant (JCEKS)

Issue Type:

BugBug

Affects Versions:

2.18.6, 2.20.4, 2.21.0

Assignee:

Unassigned

Created:

25/May/22 3:12 PM

Environment:

A FIPS-enabled Linux server w/ an OpenJDK 11 container (1.11)

Priority:

HighHigh

Reporter:

Trae Yelovich

The default keystore type for KeystoreProviderImpl is JCEKS. During startup, GeoServer tries to create a blank JCEKS keystore, or load an existing one within the data directory. However, in FIPS environments, a NoSuchAlgorithmException is thrown as JCEKS is not available under FIPS. As a result, we cannot get GeoServer to finish booting as FIPS mode is required and GeoServer depends on JCEKS to continue execution.

We’ve considered creating a compatible keystore provider as a workaround and importing it somehow - But, extension documentation seems scarce, especially regarding a custom keystore provider.

Ideally, a FIPS-compatible algorithm as the default keystore type would solve this issue. Another potential alternative would be to allow the system to provide a keystore type as an environment variable, and then default to JCEKS if the variable doesn’t exist.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100198-sha1:3aa2ccf)

Atlassian logo