Elasticsearch 7.6.2 fails to start up with BCFKS enforcement

Mili_Kahi · February 26, 2021, 6:27pm

We have customized the entry point for Elasticsearch process. In that, we are enforcing to us BCFKS keystore. However, Elasticsearch xpack stack is trying to load with default keytype (JKS) and that is causing error in start up

Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BCFIPS
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) ~[?:?]
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.KeyConfig$1.createKeyManager(KeyConfig.java:40) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:428) ~[?:?]
    at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:521) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$4(SSLService.java:497) ~[?:?]
    at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:497) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:130) ~[?:?]
    at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:259) ~[?:?]
    at org.elasticsearch.node.Node.lambda$new$9(Node.java:456) ~[elasticsearch-7.6.2.jar:7.6.2]
    at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:269) ~[?:1.8.0_282]
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_282]
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_282]
    at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_282]
    at org.elasticsearch.node.Node.<init>(Node.java:459) ~[elasticsearch-7.6.2.jar:7.6.2]
    at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.2.jar:7.6.2]
    at org.elasticsearch.bootstrap.RqsBootstrap$5.<init>(RqsBootstrap.java:251) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsBootstrap.setup(RqsBootstrap.java:250) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsBootstrap.init(RqsBootstrap.java:353) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsElasticsearch.init(RqsElasticsearch.java:185) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    ... 6 more

Mili_Kahi · February 26, 2021, 6:28pm

Elasticsearch.yaml

xpack.security.enabled: false
xpack.watcher.enabled: false
xpack.monitoring.enabled: false
xpack.ml.enabled: false
xpack.graph.enabled: false

system · March 26, 2021, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.