DOC-479: add setup FIPS tips #1757
+55
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -222,3 +222,58 @@ For the | |
| information, e.g., `TLSv1.3`. It ensures the engine won't allow a fallback to an old, insecure version. | ||
|
|
||
| * `validateIdentity`: Flag which allows enabling endpoint identity validation. It means, during the TLS handshake client verifies if the server's hostname (or IP address) matches the information in X.509 certificate (Subject Alternative Name extension). Possible values are `"true"` and `"false"` (default). | ||
|
|
||
| == Troubleshooting FIPS setup | ||
|
|
||
| This section helps you resolve errors sometimes encountered when enabling FIPS mode. | ||
|
|
||
| **Problem: Failed to load libraries** | ||
|
|
||
| You get an error similar to: | ||
|
|
||
| `java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty_tcnative_linux_aarch_64_fedora, netty_tcnative_linux_aarch_64, netty_tcnative_aarch_64, netty_tcnative]` | ||
|
|
||
| **Reason** | ||
|
|
||
| This error can occur if you use the generic netty-tcnative JAR file rather than the platform-specific version. | ||
|
|
||
| **Resolution** | ||
|
|
||
| To ensure the correct library is used, specify the platform-specific netty-tcnative jar file. For example, for aarch_64: | ||
|
|
||
| `netty-tcnative-2.0.69.Final-linux-aarch_64.jar` | ||
|
There was a problem hiding this comment. Where do you specify this? There was a problem hiding this comment. I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket. |
||
|
|
||
| NOTE: At the time of writing, this jar file is unavailable in Maven Central, so you may need to build it manually. | ||
|
|
||
| **Problem: BCFKS not found** | ||
|
|
||
| You get an error similar to: | ||
|
|
||
| `com.hazelcast.core.HazelcastException: java.security.KeyStoreException: BCFKS not found` | ||
|
|
||
| **Reason** | ||
|
|
||
| This error occurs when the Java runtime doesn't recognize the BCFKS keystore type, which is provided by the BouncyCastle provider. This can happen for several reasons — for example, the issue may be caused by using the wrong keystore type. | ||
|
|
||
| **Resolution** | ||
|
|
||
| Switch to BCFKS for the keystore and truststore to resolve the problem. | ||
|
There was a problem hiding this comment. I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket. |
||
|
|
||
| **Problem: Java module access** | ||
|
|
||
| You get an error similar to: | ||
|
|
||
| `java.lang.IllegalAccessError or unnamed module cannot access class` | ||
|
|
||
| **Reason** | ||
|
|
||
| These are general Java module access issues which are not specific to Hazelcast or FIPS. A typical example is given below. | ||
amandalindsay marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| **Resolution** | ||
|
|
||
| Try adding the export option to the Java command. One method is to include the following in your Java command to allow access to internal classes: | ||
|
There was a problem hiding this comment. What Java command? The rest of this section is all file-based configuration. There was a problem hiding this comment. I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket. |
||
|
|
||
| [source] | ||
| ---- | ||
| export JAVA_OPTS="--add-exports java.base/sun.security.provider=ALL-UNNAMED" | ||
| ---- | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would fit better in security/fips-140-2. Most users of this section won't be interested in FIPS; 100% of users of that section will be. It's already linked from the relevant config field here.
Maybe sub-headings, a bulleted list or a table would make it a bit easier to read too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shultseva Where is this information best located for readers: in the advanced security/fips-140-2 section, or where it currently is in integrating Open/BoringSSL?