Skip to Main Content

Java and JavaScript in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Pgjdbc cannot connect to DB when FIPS enabled and NSS DB's password is not empty

Jiangchen WeiDec 5 2023

Hello,

I configured for SSL with pgjdbc on FIPS enabled server by reference to the below link.
https://www.enterprisedb.com/blog/edb-tutorial-configure-ssl-edb-jdbc-fips-enabled-server

However, when I was trying to run a simple testing program, I got the following error.

[postgres@VM00099926 fips]$ java -cp .:postgresql-42.7.0.jar -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11 JdbcTest 
Setting up SSL Connection: 
Exception in thread "main" org.postgresql.util.PSQLException: The SSLSocketFactory class provided org.postgresql.ssl.DefaultJavaSSLFactory could not be instantiated. 
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:68) 
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:34) 
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:620) 
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:191) 
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258) 
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54) 
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263) 
at org.postgresql.Driver.makeConnection(Driver.java:443) 
at org.postgresql.Driver.connect(Driver.java:297) 
at java.sql.DriverManager.getConnection(DriverManager.java:664) 
at java.sql.DriverManager.getConnection(DriverManager.java:208) 
at JdbcTest.main(JdbcTest.java:18) 
Caused by: java.lang.reflect.InvocationTargetException 
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
at org.postgresql.util.ObjectFactory.instantiate(ObjectFactory.java:66) 
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:64) 
... 11 more 
Caused by: java.security.ProviderException: Initialization failed 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:438) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:131) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) 
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) 
at java.security.AccessController.doPrivileged(Native Method) 
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) 
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) 
at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) 
at sun.security.jca.ProviderList.getService(ProviderList.java:331) 
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157) 
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) 
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) 
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122) 
at org.postgresql.ssl.DefaultJavaSSLFactory.<init>(DefaultJavaSSLFactory.java:19) 
... 17 more 
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT 
at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:422) 
... 34 more

When I was trying to solve this problem, I found that if I set the password of NSS (Network Security Services) DB into empty, the above expection will not occur.

I am confusing on how to avoid this exception if I want to connect to DB with pgjdbc while FIPS is enabled and the password of NSS DB is not empty.

I attached my setup details and tesing problem in the end.

The setup details and testing program:

  1. OS:
    Red Hat Enterprise Linux release 9.2 (Plow)
  2. java version:
    openjdk version "1.8.0_392"
    OpenJDK Runtime Environment (build 1.8.0_392-b08)
    OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
  3. pgjdbc version:
    42.7.0
  4. fips mode
    [root@VM00099926 fips]# fips-mode-setup --check
    FIPS mode is enabled.
  5. java.security:
# 
# Security providers used when FIPS mode support is active 
# 
fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg 
fips.provider.2=sun.security.provider.Sun 
fips.provider.3=sun.security.ec.SunEC 
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS 

nss.fips.cfg: 
name = NSS-FIPS 
nssLibraryDirectory = /usr/lib64 
nssSecmodDirectory = sql:/etc/pki/nssdb 
nssDbMode = readOnly 
nssModule = fips 

attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

6. Testing program:

import java.io.File;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.sql.*;
import java.util.Properties;

public class JdbcTest
{
        public static void main(String[] args) throws Exception
        {
                System.out.println("Setting up SSL Connection: ");
                Class.forName("org.postgresql.Driver");
                Properties props = new Properties();
                props.setProperty("user","postgres");
                props.setProperty("ssl","true");
                props.setProperty("sslmode","verify-ca");
                props.setProperty("sslfactory","org.postgresql.ssl.DefaultJavaSSLFactory");
                Connection con = DriverManager.getConnection("jdbc:postgresql://localhost:27500/postgres", props);
                System.out.println("Connection opened:");
                System.out.println(con.isClosed());
                try {
                        con.close();
                        System.out.println("Connection closed:");
                        System.out.println(con.isClosed());
                }catch(Exception ex) {
                       ex.printStackTrace();
                }
        }
}

7. How to set the password of NSS DB (FIPS disabled is nescessary when setting the password)

# fips-mode-setup --disable
# reboot
# modutil -changepw "NSS Certificate DB" -dbdir /etc/pki/nssdb
<input new password, if you want to set the password as empty, just tap Enter key>
# fips-mode-setup --enable
# reboot

I will very appreciate it if anyone can give me a solution or suggestion.

Comments
Post Details
Added on Dec 5 2023
0 comments
608 views