Skip to Main Content

Java and JavaScript in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Pgjdbc cannot connect to DB when FIPS enabled and NSS DB's password is not empty

Jiangchen WeiDec 5 2023

Hello,

I configured for SSL with pgjdbc on FIPS enabled server by reference to the below link.
https://www.enterprisedb.com/blog/edb-tutorial-configure-ssl-edb-jdbc-fips-enabled-server

However, when I was trying to run a simple testing program, I got the following error.

[postgres@VM00099926 fips]$ java -cp .:postgresql-42.7.0.jar -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11 JdbcTest 
Setting up SSL Connection: 
Exception in thread "main" org.postgresql.util.PSQLException: The SSLSocketFactory class provided org.postgresql.ssl.DefaultJavaSSLFactory could not be instantiated. 
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:68) 
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:34) 
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:620) 
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:191) 
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258) 
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54) 
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263) 
at org.postgresql.Driver.makeConnection(Driver.java:443) 
at org.postgresql.Driver.connect(Driver.java:297) 
at java.sql.DriverManager.getConnection(DriverManager.java:664) 
at java.sql.DriverManager.getConnection(DriverManager.java:208) 
at JdbcTest.main(JdbcTest.java:18) 
Caused by: java.lang.reflect.InvocationTargetException 
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
at org.postgresql.util.ObjectFactory.instantiate(ObjectFactory.java:66) 
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:64) 
... 11 more 
Caused by: java.security.ProviderException: Initialization failed 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:438) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:131) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) 
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) 
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) 
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) 
at java.security.AccessController.doPrivileged(Native Method) 
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) 
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) 
at sun.security.jca.ProviderList.getProvider(ProviderList.java:233) 
at sun.security.jca.ProviderList.getService(ProviderList.java:331) 
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157) 
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) 
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) 
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122) 
at org.postgresql.ssl.DefaultJavaSSLFactory.<init>(DefaultJavaSSLFactory.java:19) 
... 17 more 
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT 
at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method) 
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:422) 
... 34 more

When I was trying to solve this problem, I found that if I set the password of NSS (Network Security Services) DB into empty, the above expection will not occur.

I am confusing on how to avoid this exception if I want to connect to DB with pgjdbc while FIPS is enabled and the password of NSS DB is not empty.

I attached my setup details and tesing problem in the end.

The setup details and testing program:

  1. OS:
    Red Hat Enterprise Linux release 9.2 (Plow)
  2. java version:
    openjdk version "1.8.0_392"
    OpenJDK Runtime Environment (build 1.8.0_392-b08)
    OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
  3. pgjdbc version:
    42.7.0
  4. fips mode
    [root@VM00099926 fips]# fips-mode-setup --check
    FIPS mode is enabled.
  5. java.security:
# 
# Security providers used when FIPS mode support is active 
# 
fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg 
fips.provider.2=sun.security.provider.Sun 
fips.provider.3=sun.security.ec.SunEC 
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS 

nss.fips.cfg: 
name = NSS-FIPS 
nssLibraryDirectory = /usr/lib64 
nssSecmodDirectory = sql:/etc/pki/nssdb 
nssDbMode = readOnly 
nssModule = fips 

attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }

6. Testing program:

import java.io.File;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.sql.*;
import java.util.Properties;

public class JdbcTest
{
        public static void main(String[] args) throws Exception
        {
                System.out.println("Setting up SSL Connection: ");
                Class.forName("org.postgresql.Driver");
                Properties props = new Properties();
                props.setProperty("user","postgres");
                props.setProperty("ssl","true");
                props.setProperty("sslmode","verify-ca");
                props.setProperty("sslfactory","org.postgresql.ssl.DefaultJavaSSLFactory");
                Connection con = DriverManager.getConnection("jdbc:postgresql://localhost:27500/postgres", props);
                System.out.println("Connection opened:");
                System.out.println(con.isClosed());
                try {
                        con.close();
                        System.out.println("Connection closed:");
                        System.out.println(con.isClosed());
                }catch(Exception ex) {
                       ex.printStackTrace();
                }
        }
}

7. How to set the password of NSS DB (FIPS disabled is nescessary when setting the password)

# fips-mode-setup --disable
# reboot
# modutil -changepw "NSS Certificate DB" -dbdir /etc/pki/nssdb
<input new password, if you want to set the password as empty, just tap Enter key>
# fips-mode-setup --enable
# reboot

I will very appreciate it if anyone can give me a solution or suggestion.

Comments
Post Details
Added on Dec 5 2023
0 comments
283 views