Hi @Eyal_Koren
Below is the error log if I just read TLS context and leave everything as is.
2021-01-26 11:45:54,241 [main] DEBUG co.elastic.apm.agent.bci.ElasticApmAgent - Type match for instrumentation ExecutorInvokeAnyAllInstrumentation: (((((((((hasSuperType(erasure(name(equals(java.util.concurrent.Executor)))) and not(name(equals(org.apache.felix.resolver.ResolverImpl$DumbExecutor)))) and not(name(contains(jetty)))) and not(name(contains(tomcat)))) and not(name(contains(jboss)))) and not(name(contains(undertow)))) and not(name(contains(netty)))) and not(name(startsWith(com.hazelcast)))) and not((name(contains($Proxy)) or name(contains($$))))) and not(isInterface())) matches class java.util.concurrent.Executors$FinalizableDelegatedExecutorService
2021-01-26 11:45:54,245 [elastic-apm-server-healthcheck] WARN co.elastic.apm.agent.report.ssl.SslUtils - FIPS mode: only SunJSSE TrustManagers may be used
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:115) ~[?:1.8.0_162]
at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:78) ~[?:1.8.0_162]
at javax.net.ssl.SSLContext.init(SSLContext.java:282) ~[?:1.8.0_162]
at co.elastic.apm.agent.report.ssl.SslUtils.createSocketFactory(SslUtils.java:93) [?:?]
at co.elastic.apm.agent.report.ssl.SslUtils.<clinit>(SslUtils.java:56) [?:?]
at co.elastic.apm.agent.report.ApmServerClient.startRequestToUrl(ApmServerClient.java:140) [?:?]
at co.elastic.apm.agent.report.ApmServerClient.executeForAllUrls(ApmServerClient.java:278) [?:?]
at co.elastic.apm.agent.report.ApmServerHealthChecker.call(ApmServerHealthChecker.java:69) [?:?]
at co.elastic.apm.agent.report.ApmServerHealthChecker.call(ApmServerHealthChecker.java:47) [?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_162]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_162]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_162]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
2021-01-26 11:45:54,255 [elastic-apm-server-healthcheck] DEBUG co.elastic.apm.agent.report.ApmServerHealthChecker - Starting healthcheck to https://XXXXX/
2021-01-26 11:45:54,255 [elastic-apm-remote-config-poller] DEBUG co.elastic.apm.agent.configuration.ApmServerConfigurationSource - Reloading configuration from APM Server https://XXXXXX/config/v1/agents
2021-01-26 11:45:54,270 [main] DEBUG co.elastic.apm.agent.bci.ElasticApmAgent - Type match for instrumentation ExecutorRunnableInstrumentation: (((((((((hasSuperType(erasure(name(equals(java.util.concurrent.Executor)))) and not(name(equals(org.apache.felix.resolver.ResolverImpl$DumbExecutor)))) and not(name(contains(jetty)))) and not(name(contains(tomcat)))) and not(name(contains(jboss)))) and not(name(contains(undertow)))) and not(name(contains(netty)))) and not(name(startsWith(com.hazelcast)))) and not((name(contains($Proxy)) or name(contains($$))))) and not(isInterface())) matches class java.util.concurrent.Executors$DelegatedExecutorService
2021-01-26 11:45:54,270 [main] DEBUG co.elastic.apm.agent.bci.ElasticApmAgent - Type match for instrumentation ExecutorCallableInstrumentation: (((((((((hasSuperType(erasure(name(equals(java.util.concurrent.Executor)))) and not(name(equals(org.apache.felix.resolver.ResolverImpl$DumbExecutor)))) and not(name(contains(jetty)))) and not(name(contains(tomcat)))) and not(name(contains(jboss)))) and not(name(contains(undertow)))) and not(name(contains(netty)))) and not(name(startsWith(com.hazelcast)))) and not((name(contains($Proxy)) or name(contains($$))))) and not(isInterface())) matches class java.util.concurrent.Executors$DelegatedExecutorService
2021-01-26 11:45:54,272 [main] DEBUG co.elastic.apm.agent.bci.ElasticApmAgent - Type match for instrumentation ExecutorInvokeAnyAllInstrumentation: (((((((((hasSuperType(erasure(name(equals(java.util.concurrent.Executor)))) and not(name(equals(org.apache.felix.resolver.ResolverImpl$DumbExecutor)))) and not(name(contains(jetty)))) and not(name(contains(tomcat)))) and not(name(contains(jboss)))) and not(name(contains(undertow)))) and not(name(contains(netty)))) and not(name(startsWith(com.hazelcast)))) and not((name(contains($Proxy)) or name(contains($$))))) and not(isInterface())) matches class java.util.concurrent.Executors$DelegatedExecutorService
2021-01-26 11:45:54,280 [elastic-apm-server-healthcheck] WARN co.elastic.apm.agent.report.ApmServerHealthChecker - Elastic APM server https://XXXXX/ is not available (java.lang.NullPointerException)
private static SSLSocketFactory createSocketFactory(TrustManager[] trustAllCerts) {
try {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
return sslContext.getSocketFactory();
}
catch (NoSuchAlgorithmException e) {
logger.warn(e.getMessage(), e);
logger.warn("Using TLS as SSL is not available");
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
return sslContext.getSocketFactory();
}
} catch (NoSuchAlgorithmException | KeyManagementException e) {
logger.warn(e.getMessage(), e);
return null;
}
}
We are using CCJ jar file and below is our java.security file
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=sun.security.ec.SunEC
security.provider.5=com.sun.net.ssl.internal.ssl.Provider CCJ
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN
login.configuration.provider=sun.security.provider.ConfigFile
policy.provider=sun.security.provider.PolicyFile
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
policy.expandProperties=true
policy.allowSystemProperty=true
policy.ignoreIdentityScope=false
keystore.type=BCFKS
keystore.type.compat=true
package.access=sun.,\
com.sun.xml.internal.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.corba.se.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
com.sun.org.apache.xerces.internal.,\
com.sun.org.apache.xpath.internal.,\
com.sun.org.apache.xalan.internal.extensions.,\
com.sun.org.apache.xalan.internal.lib.,\
com.sun.org.apache.xalan.internal.res.,\
com.sun.org.apache.xalan.internal.templates.,\
com.sun.org.apache.xalan.internal.utils.,\
com.sun.org.apache.xalan.internal.xslt.,\
com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
com.sun.org.apache.xalan.internal.xsltc.compiler.,\
com.sun.org.apache.xalan.internal.xsltc.trax.,\
com.sun.org.apache.xalan.internal.xsltc.util.,\
com.sun.org.apache.xml.internal.res.,\
com.sun.org.apache.xml.internal.resolver.helpers.,\
com.sun.org.apache.xml.internal.resolver.readers.,\
com.sun.org.apache.xml.internal.security.,\
com.sun.org.apache.xml.internal.serializer.utils.,\
com.sun.org.apache.xml.internal.utils.,\
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
jdk.nashorn.tools.,\
jdk.xml.internal.,\
com.sun.activation.registries.,\
com.sun.browser.,\
com.sun.glass.,\
com.sun.javafx.,\
com.sun.media.,\
com.sun.openpisces.,\
com.sun.prism.,\
com.sun.scenario.,\
com.sun.t2k.,\
com.sun.pisces.,\
com.sun.webkit.,\
jdk.management.resource.internal.
package.definition=sun.,\
com.sun.xml.internal.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.,\
com.sun.media.sound.,\
com.sun.naming.internal.,\
com.sun.proxy.,\
com.sun.corba.se.,\
com.sun.org.apache.bcel.internal.,\
com.sun.org.apache.regexp.internal.,\
com.sun.org.apache.xerces.internal.,\
com.sun.org.apache.xpath.internal.,\
com.sun.org.apache.xalan.internal.extensions.,\
com.sun.org.apache.xalan.internal.lib.,\
com.sun.org.apache.xalan.internal.res.,\
com.sun.org.apache.xalan.internal.templates.,\
com.sun.org.apache.xalan.internal.utils.,\
com.sun.org.apache.xalan.internal.xslt.,\
com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
com.sun.org.apache.xalan.internal.xsltc.compiler.,\
com.sun.org.apache.xalan.internal.xsltc.trax.,\
com.sun.org.apache.xalan.internal.xsltc.util.,\
com.sun.org.apache.xml.internal.res.,\
com.sun.org.apache.xml.internal.resolver.helpers.,\
com.sun.org.apache.xml.internal.resolver.readers.,\
com.sun.org.apache.xml.internal.security.,\
com.sun.org.apache.xml.internal.serializer.utils.,\
com.sun.org.apache.xml.internal.utils.,\
com.sun.org.glassfish.,\
com.oracle.xmlns.internal.,\
com.oracle.webservices.internal.,\
oracle.jrockit.jfr.,\
org.jcp.xml.dsig.internal.,\
jdk.internal.,\
jdk.nashorn.internal.,\
jdk.nashorn.tools.,\
jdk.xml.internal.,\
com.sun.activation.registries.,\
com.sun.browser.,\
com.sun.glass.,\
com.sun.javafx.,\
com.sun.media.,\
com.sun.openpisces.,\
com.sun.prism.,\
com.sun.scenario.,\
com.sun.t2k.,\
com.sun.pisces.,\
com.sun.webkit.,\
jdk.management.resource.internal.
security.overridePropertiesFile=true
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX
networkaddress.cache.negative.ttl=10
krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\
noDuplicateIds,\
noRetrievalMethodLoops