Skip to content

[CI] ActiveDirectoryRealmTests fail in FIPS mode #47434

New issue
New issue
Closed
#47437
Closed
[CI] ActiveDirectoryRealmTests fail in FIPS mode#47434
#47437
Assignees
jkakavas
Labels
:Security/SecuritySecurity issues without another label>test-failureTriaged test failures from CI
@droberts195

Description

@droberts195
droberts195
opened on Oct 2, 2019

All the ActiveDirectoryRealmTests failed in this build of the 7.x branch: https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+7.x+matrix-java-periodic/ES_BUILD_JAVA=openjdk12,ES_RUNTIME_JAVA=java8fips,nodes=general-purpose/241/console

For each test in the suite the error is like this one:

06:20:19 org.elasticsearch.xpack.security.authc.ldap.ActiveDirectoryRealmTests > testAuthenticateCachesSuccessfulAuthentications FAILED
06:20:19     ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.authc.realms.active_directory.testauthenticatecachessuccesfulauthentications.ssl]]; nested: ElasticsearchException[failed to initialize the SSLContext]; nested: KeyManagementException[FIPS mode: only SunJSSE TrustManagers may be used];
06:20:19         at __randomizedtesting.SeedInfo.seed([6330360333BB8644:9993853870276F61]:0)
06:20:19         at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:449)
06:20:19         at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426)
06:20:19         at java.util.HashMap.forEach(HashMap.java:1289)
06:20:19         at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:426)
06:20:19         at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:121)
06:20:19         at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectoryRealmTests.setupRealm(ActiveDirectoryRealmTests.java:171)
06:20:19         at org.elasticsearch.xpack.security.authc.ldap.ActiveDirectoryRealmTests.testAuthenticateCachesSuccessfulAuthentications(ActiveDirectoryRealmTests.java:226)
06:20:19 
06:20:19         Caused by:
06:20:19         ElasticsearchException[failed to initialize the SSLContext]; nested: KeyManagementException[FIPS mode: only SunJSSE TrustManagers may be used];
06:20:19             at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:409)
06:20:19             at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:386)
06:20:19             at java.util.HashMap.computeIfAbsent(HashMap.java:1127)
06:20:19             at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:446)
06:20:19             ... 6 more
06:20:19 
06:20:19             Caused by:
06:20:19             java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
06:20:19                 at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:120)
06:20:19                 at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:83)
06:20:19                 at javax.net.ssl.SSLContext.init(SSLContext.java:282)
06:20:19                 at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:402)
06:20:19                 ... 9 more

This is reproducible if you use a FIPS JVM:

./gradlew ':x-pack:plugin:security:test' --tests "org.elasticsearch.xpack.security.authc.ldap.ActiveDirectoryRealmTests" -Dtests.seed=6330360333BB8644   -Dtests.security.manager=true   -Dtests.locale=fr-FR   -Dtests.timezone=Antarctica/Davis   -Dcompiler.java=12   -Druntime.java=8FIPS   -Djavax.net.ssl.keyStorePassword=password   -Djavax.net.ssl.trustStorePassword=password

Metadata

Metadata

Assignees

Labels

:Security/SecuritySecurity issues without another label>test-failureTriaged test failures from CI

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions