Hello,
I configured for SSL with pgjdbc on FIPS enabled server by reference to the below link.
https://www.enterprisedb.com/blog/edb-tutorial-configure-ssl-edb-jdbc-fips-enabled-server
However, when I was trying to run a simple testing program, I got the following error.
[postgres@VM00099926 fips]$ java -cp .:postgresql-42.7.0.jar -Djavax.net.ssl.trustStore=NONE -Djavax.net.ssl.trustStoreType=PKCS11 JdbcTest
Setting up SSL Connection:
Exception in thread "main" org.postgresql.util.PSQLException: The SSLSocketFactory class provided org.postgresql.ssl.DefaultJavaSSLFactory could not be instantiated.
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:68)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:34)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:620)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:191)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
at org.postgresql.Driver.makeConnection(Driver.java:443)
at org.postgresql.Driver.connect(Driver.java:297)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
at JdbcTest.main(JdbcTest.java:18)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.postgresql.util.ObjectFactory.instantiate(ObjectFactory.java:66)
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:64)
... 11 more
Caused by: java.security.ProviderException: Initialization failed
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:438)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:131)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
at sun.security.jca.ProviderList.getService(ProviderList.java:331)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
at org.postgresql.ssl.DefaultJavaSSLFactory.<init>(DefaultJavaSSLFactory.java:19)
... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_PIN_INCORRECT
at sun.security.pkcs11.wrapper.PKCS11.C_Login(Native Method)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:422)
... 34 more
When I was trying to solve this problem, I found that if I set the password of NSS (Network Security Services) DB into empty, the above expection will not occur.
I am confusing on how to avoid this exception if I want to connect to DB with pgjdbc while FIPS is enabled and the password of NSS DB is not empty.
I attached my setup details and tesing problem in the end.
The setup details and testing program:
- OS:
Red Hat Enterprise Linux release 9.2 (Plow)
- java version:
openjdk version "1.8.0_392"
OpenJDK Runtime Environment (build 1.8.0_392-b08)
OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)
- pgjdbc version:
42.7.0
- fips mode
[root@VM00099926 fips]# fips-mode-setup --check
FIPS mode is enabled.
- java.security:
#
# Security providers used when FIPS mode support is active
#
fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
fips.provider.2=sun.security.provider.Sun
fips.provider.3=sun.security.ec.SunEC
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
nss.fips.cfg:
name = NSS-FIPS
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
6. Testing program:
import java.io.File;
import java.io.FileOutputStream;
import java.io.PrintStream;
import java.sql.*;
import java.util.Properties;
public class JdbcTest
{
public static void main(String[] args) throws Exception
{
System.out.println("Setting up SSL Connection: ");
Class.forName("org.postgresql.Driver");
Properties props = new Properties();
props.setProperty("user","postgres");
props.setProperty("ssl","true");
props.setProperty("sslmode","verify-ca");
props.setProperty("sslfactory","org.postgresql.ssl.DefaultJavaSSLFactory");
Connection con = DriverManager.getConnection("jdbc:postgresql://localhost:27500/postgres", props);
System.out.println("Connection opened:");
System.out.println(con.isClosed());
try {
con.close();
System.out.println("Connection closed:");
System.out.println(con.isClosed());
}catch(Exception ex) {
ex.printStackTrace();
}
}
}
7. How to set the password of NSS DB (FIPS disabled is nescessary when setting the password)
# fips-mode-setup --disable
# reboot
# modutil -changepw "NSS Certificate DB" -dbdir /etc/pki/nssdb
<input new password, if you want to set the password as empty, just tap Enter key>
# fips-mode-setup --enable
# reboot
I will very appreciate it if anyone can give me a solution or suggestion.