Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Spring Cloud Config Client Native test: FIPS enabled native-image: "only SunJSSE TrustManagers may be used"
See original GitHub issueDescribe the bug
Spring Cloud Config Client test works fine with FIPS aware HotSpot, but the test fails to start with FIPS aware native-image.
TODO: Check Wiremock in HotSpot vs Native and how it is used here.
Notes from Severin: Only PKCS11 NSS certificates may be used in FIPS mode. See: https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#trust_anchor_certificates
HotSpot (FIPS enabled)
[INFO] Quarkus - Integration Tests - Spring Cloud Config Client SUCCESS [ 8.551 s]
Native (FIPS disabled)
Starting WireMock with following params: --root-dir=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/classes --port=8089 --disable-banner
Logging initialized @6920ms
jetty-9.2.28.v20190418
Started o.e.j.s.ServletContextHandler@c194c4e{/__admin,null,AVAILABLE}
Started o.e.j.s.ServletContextHandler@4def900a{/,null,AVAILABLE}
Started NetworkTrafficServerConnector@6ab6ec33{HTTP/1.1}{0.0.0.0:8089}
Started @7010ms
The WireMock server is started .....
port: 8089
enable-browser-proxying: false
disable-banner: true
no-request-journal: false
verbose: false
--- maven-resources-plugin:3.1.0:testResources (default-testResources) @ quarkus-integration-test-spring-cloud-config-client ---
Using 'UTF-8' encoding to copy filtered resources.
skip non existing resourceDirectory /home/karm/quarkus/integration-tests/spring-cloud-config-client/src/test/resources
--- maven-compiler-plugin:3.8.1:testCompile (default-testCompile) @ quarkus-integration-test-spring-cloud-config-client ---
Nothing to compile - all classes are up to date
--- maven-surefire-plugin:3.0.0-M5:test (default-test) @ quarkus-integration-test-spring-cloud-config-client ---
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Running io.quarkus.spring.cloud.config.client.runtime.GreetingResourceTest
[org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
[io.quarkus] (main) Quarkus 999-SNAPSHOT on JVM started in 1.810s. Listening on: http://localhost:8081
[io.quarkus] (main) Profile test activated.
[io.quarkus] (main) Installed features: [cdi, config-yaml, resteasy, smallrye-context-propagation, spring-cloud-config-client, vertx]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.26 s - in io.quarkus.spring.cloud.config.client.runtime.GreetingResourceTest
[io.quarkus] (main) a-bootiful-client stopped in 0.065s
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO]
[INFO] --- quarkus-maven-plugin:999-SNAPSHOT:build (default) @ quarkus-integration-test-spring-cloud-config-client ---
[INFO] [io.quarkus.deployment.pkg.steps.JarResultBuildStep] Building native image source jar: /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] Building native image from /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildStep] Running Quarkus native-image plugin on native-image 21.3.1.0-Final Mandrel Distribution (Java Version 11.0.14+9)
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildRunner] /home/karm/mandrel-java11-21.3.1.0-Final/bin/native-image -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dsun.nio.ch.maxUpdateArraySize=100 -J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory -J-Dvertx.disableDnsResolver=true -J-Dio.netty.leakDetection.level=DISABLED -J-Dio.netty.allocator.maxOrder=3 -J-Duser.language=en -J-Duser.country=US -J-Dfile.encoding=UTF-8 -H:-ParseOnce -J--add-exports=java.security.jgss/sun.security.krb5=ALL-UNNAMED -J--add-opens=java.base/java.text=ALL-UNNAMED -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy\$BySpaceAndTime -H:+JNI -H:+AllowFoldMethods -J-Djava.awt.headless=true -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:-AddAllCharsets -H:EnableURLProtocols=http,https -H:NativeLinkerOption=-no-pie -H:-UseServiceLoaderFeature -H:+StackTrace quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner -jar quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.jar
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] classlist: 3,048.27 ms, 0.96 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (cap): 575.15 ms, 0.96 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] setup: 2,560.47 ms, 0.96 GB
11:48:53,079 INFO [org.jbo.threads] JBoss Threads version 3.4.2.Final
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (clinit): 800.42 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (typeflow): 4,273.34 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (objects): 37,227.83 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (features): 1,744.40 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] analysis: 45,948.94 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] universe: 3,504.46 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (parse): 4,838.33 ms, 5.13 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (inline): 7,229.20 ms, 5.65 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] (compile): 30,984.73 ms, 5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] compile: 45,348.73 ms, 5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] image: 3,500.98 ms, 5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] write: 577.36 ms, 5.02 GB
[quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner:40943] [total]: 104,823.76 ms, 5.02 GB
# Printing build artifacts to: /home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-native-image-source-jar/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner.build_artifacts.txt
[INFO] [io.quarkus.deployment.pkg.steps.NativeImageBuildRunner] objcopy --strip-debug quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner
[INFO] [io.quarkus.deployment.QuarkusAugmentor] Quarkus augmentation completed in 108223ms
[INFO]
[INFO] --- maven-failsafe-plugin:3.0.0-M5:integration-test (default) @ quarkus-integration-test-spring-cloud-config-client ---
[INFO]
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running io.quarkus.spring.cloud.config.client.runtime.GreetingResourceIT
[INFO] RequestHandlerClass from context returned com.github.tomakehurst.wiremock.http.StubRequestHandler. Normalized mapped under returned 'null'
[org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
Executing "/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus-integration-test-spring-cloud-config-client-999-SNAPSHOT-runner -Dquarkus.http.port=8081 -Dquarkus.http.ssl-port=8444 -Dtest.url=http://localhost:8081 -Dquarkus.log.file.path=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/quarkus.log -Dquarkus.log.file.enable=true"
__ ____ __ _____ ___ __ ____ ______
--/ __ \/ / / / _ | / _ \/ //_/ / / / __/
-/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \
--\___\_\____/_/ |_/_/|_/_/|_|\____/___/
[io.quarkus] (main) a-bootiful-client 999-SNAPSHOT native (powered by Quarkus 999-SNAPSHOT) started in 0.133s. Listening on: http://0.0.0.0:8081
[io.quarkus] (main) Profile prod activated.
[io.quarkus] (main) Installed features: [cdi, config-yaml, resteasy, smallrye-context-propagation, spring-cloud-config-client, vertx]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 3.183 s - in io.quarkus.spring.cloud.config.client.runtime.GreetingResourceIT
[INFO]
[INFO] Results:
[INFO]
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
Native (FIPS enabled)
[INFO] Starting WireMock with following params: --root-dir=/home/karm/quarkus/integration-tests/spring-cloud-config-client/target/classes --port=8089 --disable-banner
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[ERROR] FIPS mode: only SunJSSE TrustManagers may be used
Expected behavior
Passes both for FIPS enabled HotSpot and FIPS enabled Native.
Actual behavior
FIPS enabled Native fails.
How to Reproduce?
On a FIPS enforcing system, using FIPS aware native-image:
./mvnw clean install -Dquickly -pl '!devtools/gradle,!devtools/gradle/gradle-model,!devtools/gradle/gradle-extension-plugin,!devtools/gradle/gradle-application-plugin,!integration-tests/gradle'
./mvnw verify -f integration-tests/pom.xml --fail-at-end --batch-mode -Dno-format -DfailIfNoTests=false -Dnative -pl spring-cloud-config-client
Output of uname -a or ver
Linux rhel9fips 5.14.0-63.el9.x86_64
Output of java -version
Red Hat build of OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode)
GraalVM version (if different from Java)
No response
Quarkus version or git rev
95cc838
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Spring Cloud Config Client Native test: FIPS enabled native-image ...
Spring Cloud Config Client Native test : FIPS enabled native-image: "only SunJSSE TrustManagers may be used" #28519. Sign in to view logs.
Read more >FIPS mode: only SunJSSE TrustManagers may be used
I found if I turn on fips mode, the JRE only allow SunJSSE TrustManagers and KeyManagers when you create a SSLContext to do...
Read more >spring-cloud/spring-cloud - Gitter
The idea is to combine Kubernetes service discovery and api gateway in one resource. I took a look at Kubernetes Ingress resource but...
Read more >Spring Cloud Config
Spring Cloud Config provides server and client-side support for externalized configuration in a distributed system. With the Config Server you have a ...
Read more >Secure Spring Cloud Config - Piotr's TechBlog
Setting up SSL configuration on the server side; SSL connection on the client side. 1. Encryption and decryption. If you use JDK 8...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@jerboaa Ack. I have used wiremock in the past. I will take a look at the setup here.
I am not dumping these issues on you to investigate immediately. My angle is to record those (two more I think) so as we can go deeper later and suggest changes.
@geoand We will investigate and either provide a FIPS compatible fix or document it as FIPS incompatible for the time being.