fips support #1893
fips support #1893
Conversation
|
To help provide some testing of this PR , does one need to enable a profile or another parameter to test all the FIPS test cases or its all included in mvn install ? |
|
what I have done in this PR
|
Hi @jgoodyear , Cheers |
|
Is there a FIPS enabled build host on Apache infra? (CXF has ubuntu and windows test hosts, would be nice if the FIPS paths are regularly tested as well). |
|
Non-FIPS builds of CXF-9008 branch: Stream 9 OS with Eclipse Adoptium 17 on PPC64LE Passed. |
|
FIPS mode enabled on Stream 9 OS: ` FIPS mode is enabled. [jgoodyear@localhost ~]$ uname -a Linux localhost.localdomain 5.14.0-447.el9.ppc64le #1 SMP Tue May 7 10:29:50 UTC 2024 ppc64le ppc64le ppc64le GNU/Linux Invocation:
Error Message: ` [INFO] --- surefire:3.2.5:test (default-test) @ cxf-core --- [INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider [INFO] [INFO] ------------------------------------------------------- [INFO] T E S T S [INFO] ------------------------------------------------------- java.lang.RuntimeException: Restricted security mode is not supported on this platform. Maven/Java versions: ` Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) Maven home: /home/jgoodyear/Documents/x1/maven/apache-maven-3.9.6 Java version: 17.0.8.1, vendor: IBM Corporation, runtime: /usr/lib/jvm/ibm-semeru-open-17-jdk Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.14.0-447.el9.ppc64le", arch: "ppc64le", family: "unix" Its very possible I do not have a complete FIPS configuration for this system, that being said, enabling FIPS on the OS, and passing to Semeru fips=true should be the out of the box requirement for basic use. Any pointers welcome :) This is a very cool feature to support for CXF. |
Hi @jgoodyear , Thanks for testing with this PR. I'm not sure how to configure the environment you are using. Just FYI, my FIPS testing machine is like And If I do "mvn clean install -Pfips" I get a green build on that machine Freeman |
|
No additions to your settings xml ? I'll try the older Maven version, and RH OpenJDK 17 (want to verify using FIPS doesn't require a higher version than main builds). |
No additions to my settings.xml. And I think you need to use JDK21(LTS version) to get all tests passed with FIPS mode, because KW and KWP were added to PKCS11 provider(this is the FIPS compliant security provider) since JDK18, JDK17 missed this part. Please see |
|
Interesting, thanks for that heads up -- will re-try Semeru on version 21 as well. |
|
As a heads up, IBM Semeru 17.0.10 is where FIPS support begins - i had 17.0.8. |
|
Using Semeru 17.0.10 I got to : In which the error messages were of the form: ` or org.apache.cxf.binding.soap.SoapFault: Security processing failed.
Will try Semeru 21 now |
|
Semeru 21 had class not found error, ` [INFO] Apache CXF ......................................... SUCCESS [ 0.217 s] [INFO] Apache CXF BOM ..................................... SUCCESS [ 0.011 s] [INFO] Apache CXF Parent .................................. SUCCESS [ 1.125 s] [INFO] Apache CXF Core .................................... FAILURE [ 19.362 s] I'll take a deeper look on Semeru 17 tomorrow. |
A quick question, did you manually applied this PR to WSS4J first and build locally |
Hi @jgoodyear , Not an expert for IBM JDK configuration, but per the IBM doc here I guess somehow the testing environment/machine/jdk isn't fully FIPS ready? Best Regards |
|
Ah, no - will update for that tomorrow :) |
|
Hi @coheigea , Could you please review this PR when you have free cycle? This also requires a PR from Apache WSS4J side Thanks! |
No description provided.