Обсуждение: JDBC-Platform error: unsupported key for HMAC algorithm
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support FIPS mode to connect to Postgresql database ?
Thanks,
James
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James
Hi,
Sorry, clarify again , We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled and disabled.
We use Tomcat connection pool + Postgresql JDBC 42.3.3 , Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver. For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2. For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.
With RHEL8 FIPS enabled , tomcat logs show:
22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]
With RHEL8 FIPS not enabled, no FIPS keyword from tomcat.
This is Java tomcat config running in Kubed POD with RHEL8 FIPS mode.
{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}
[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start
For keystore details, no detail yet, will check and update then. From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.
Thanks,
James
From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm
Hello,
Can you provide more information?
Which keys are you using, etc?
TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.
I need more detailed information however such as how the keys were created and presented to the driver.
Dave
On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James
Attached Tomcat error log too.
From: James Pang (chaolpan)
Sent: Wednesday, June 22, 2022 8:51 PM
To: Dave Cramer <davecramer@postgres.rocks>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: RE: JDBC-Platform error: unsupported key for HMAC algorithm
Hi,
Sorry, clarify again , We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled and disabled.
We use Tomcat connection pool + Postgresql JDBC 42.3.3 , Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver. For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2. For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.
With RHEL8 FIPS enabled , tomcat logs show:
22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]
With RHEL8 FIPS not enabled, no FIPS keyword from tomcat.
This is Java tomcat config running in Kubed POD with RHEL8 FIPS mode.
{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}
[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start
For keystore details, no detail yet, will check and update then. From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.
Thanks,
James
From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm
Hello,
Can you provide more information?
Which keys are you using, etc?
TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.
I need more detailed information however such as how the keys were created and presented to the driver.
Dave
On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James
Вложения
Attached updated Tomcat error log too.
From: James Pang (chaolpan)
Sent: Wednesday, June 22, 2022 8:51 PM
To: Dave Cramer <davecramer@postgres.rocks>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: RE: JDBC-Platform error: unsupported key for HMAC algorithm
Hi,
Sorry, clarify again , We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled and disabled.
We use Tomcat connection pool + Postgresql JDBC 42.3.3 , Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver. For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2. For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.
With RHEL8 FIPS enabled , tomcat logs show:
22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]
With RHEL8 FIPS not enabled, no FIPS keyword from tomcat.
This is Java tomcat config running in Kubed POD with RHEL8 FIPS mode.
{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}
[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start
For keystore details, no detail yet, will check and update then. From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.
Thanks,
James
From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm
Hello,
Can you provide more information?
Which keys are you using, etc?
TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.
I need more detailed information however such as how the keys were created and presented to the driver.
Dave
On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James
Вложения
Hi,
Sorry, clarify again , We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled and disabled.
We use Tomcat connection pool + Postgresql JDBC 42.3.3 , Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver. For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2. For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.
With RHEL8 FIPS enabled , tomcat logs show:
22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]
With RHEL8 FIPS not enabled, no FIPS keyword from tomcat.
This is Java tomcat config running in Kubed POD with RHEL8 FIPS mode.
{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}
[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start
For keystore details, no detail yet, will check and update then. From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.
Thanks,
James
From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm
Hello,
Can you provide more information?
Which keys are you using, etc?
TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.
I need more detailed information however such as how the keys were created and presented to the driver.
Dave
On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:
Hi,
Postgresql server 13.4 on RHEL8.4 FIPS, JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL. Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:
at java.lang.Thread.run(Thread.java:750) │
│ Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm │
│ at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70) │
│ at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163) │
│ at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130) │
│ at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180) │
│ at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235) │
│ at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) │
│ at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223) │
│ at org.postgresql.Driver.makeConnection(Driver.java:400) │
│ at org.postgresql.Driver.connect(Driver.java:259) │
│ ... 220 more
does Postgres JDBC driver support JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .
Thanks,
James