Elasticsearch 7.6.2 fails to start up with BCFKS enforcement

Mili_Kahi · February 26, 2021, 6:27pm

We have customized the entry point for Elasticsearch process. In that, we are enforcing to us BCFKS keystore. However, Elasticsearch xpack stack is trying to load with default keytype (JKS) and that is causing error in start up

Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BCFIPS
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) ~[?:?]
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.KeyConfig$1.createKeyManager(KeyConfig.java:40) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:428) ~[?:?]
    at java.util.HashMap.computeIfAbsent(HashMap.java:1127) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:521) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$4(SSLService.java:497) ~[?:?]
    at java.util.HashMap.forEach(HashMap.java:1289) ~[?:1.8.0_282]
    at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:497) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]
    at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:130) ~[?:?]
    at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:259) ~[?:?]
    at org.elasticsearch.node.Node.lambda$new$9(Node.java:456) ~[elasticsearch-7.6.2.jar:7.6.2]
    at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:269) ~[?:1.8.0_282]
    at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_282]
    at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_282]
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_282]
    at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_282]
    at org.elasticsearch.node.Node.<init>(Node.java:459) ~[elasticsearch-7.6.2.jar:7.6.2]
    at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.2.jar:7.6.2]
    at org.elasticsearch.bootstrap.RqsBootstrap$5.<init>(RqsBootstrap.java:251) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsBootstrap.setup(RqsBootstrap.java:250) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsBootstrap.init(RqsBootstrap.java:353) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    at org.elasticsearch.bootstrap.RqsElasticsearch.init(RqsElasticsearch.java:185) ~[rqs-fips-elasticsearch-2.1-teshi-1-20210224.170126-1.jar:?]
    ... 6 more

Mili_Kahi · February 26, 2021, 6:28pm

Elasticsearch.yaml

xpack.security.enabled: false
xpack.watcher.enabled: false
xpack.monitoring.enabled: false
xpack.ml.enabled: false
xpack.graph.enabled: false

system · March 26, 2021, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch wont start with FIPS Mode Enabled Elasticsearch elastic-stack-security	3	1337	September 6, 2021
Problem with keystore password was incorrect Elasticsearch elastic-stack-security	7	38204	March 23, 2019
BCFKS: mac check in CCM failed Elasticsearch elastic-stack-security	1	860	October 10, 2022
ElasticSearch FIPS (BouncyCastle) Elasticsearch elastic-stack-security	12	2853	June 2, 2022
Failed to ADD xpack.security.http.ssl.enabled Elasticsearch elastic-stack-security	4	1916	November 11, 2018

Elasticsearch 7.6.2 fails to start up with BCFKS enforcement

Related topics