ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
OS / ENVIRONMENT
RHEL 8 FIPS compliant system
SUMMARY
Cloudstack uses multiple instances of non-FIPS-compliant features. This makes it impossible to work with in a FIPS compliant environment.
STEPS TO REPRODUCE
On a FIPS compliant system, build as instructed in https://docs.cloudstack.apache.org/en/latest/installguide/building_from_source.html:
On a FIPS compliant RHEL8 system, install and run cloudstack-management.service from https://download.cloudstack.org/centos/8/4.16/ as instructed in https://docs.cloudstack.apache.org/en/latest/installguide/overview/index.html.
See #6232 for why I do the chown and chmod steps.
[root@rwdj ~]# systemctl stop firewalld nftables
[root@rwdj ~]# systemctl start iptables
[root@rwdj ~]# dnf install cloudstack-management mysql-connector-java
[root@rwdj ~]# cloudstack-setup-databases cloud:<omitted> --deploy-as=root:<omitted> -i 127.0.0.1
[root@rwdj ~]# chown :cloud /etc/cloudstack/management/key
[root@rwdj ~]# chmod 0640 /etc/cloudstack/management/key
[root@rwdj ~]# cloudstack-setup-management
EXPECTED RESULTS
Able to build or run cloudstack-management.
ACTUAL RESULTS
Build
$ mvn -P deps
[INFO] Running com.cloud.utils.testcase.NioTest
2022-04-11 13:55:28,671 INFO [utils.testcase.NioTest] (main:) Setting up Benchmark Test
2022-04-11 13:55:28,695 INFO [utils.nio.NioServer] (main:) NioServer started and listening on /0:0:0:0:0:0:0:0:41907
2022-04-11 13:55:28,714 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest] (MaliciousNioClientHandler-2:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-1:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.nio.NioClient] (NioClientHandler-2:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:28,720 INFO [utils.testcase.NioTest] (MaliciousNioClientHandler-1:) Connecting to 127.0.0.1:41907
2022-04-11 13:55:29,715 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:30,715 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:31,716 DEBUG [utils.testcase.NioTest] (Time-limited test:) 0/2 tests done. Waiting for completion
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-2:) Failed to load keystore, using trust all manager
2022-04-11 13:55:32,003 WARN [utils.nio.Link] (NioClientHandler-1:) Failed to load keystore, using trust all manager
2022-04-11 13:55:32,041 ERROR [utils.nio.Link] (NioTestServer-NioConnectionHandler-1:) CA service is not configured, by-passing CA manager to create SSL engine
2022-04-11 13:55:32,043 ERROR [utils.nio.NioConnection] (NioClientHandler-1:) Unable to initialize the threads.
java.io.IOException: Failed to initialise security
at com.cloud.utils.nio.NioClient.init(NioClient.java:82)
at com.cloud.utils.nio.NioConnection.start(NioConnection.java:95)
at com.cloud.utils.testcase.NioTest$ThreadedNioClient.run(NioTest.java:172)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at java.base/sun.security.ssl.SSLContextImpl.chooseTrustManager(SSLContextImpl.java:133)
at java.base/sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:95)
at java.base/javax.net.ssl.SSLContext.init(SSLContext.java:297)
... 9 more
[...]
[INFO] Running com.cloud.utils.rest.HttpClientHelperTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.116 s <<< FAILURE! - in com.cloud.utils.rest.HttpClientHelperTest
[ERROR] testCreateClient(com.cloud.utils.rest.HttpClientHelperTest) Time elapsed: 0.115 s <<< ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at com.cloud.utils.rest.HttpClientHelperTest.testCreateClient(HttpClientHelperTest.java:33)
[INFO] Running com.cloud.utils.rest.BasicRestClientTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.087 s <<< FAILURE! - in com.cloud.utils.rest.BasicRestClientTest
[ERROR] com.cloud.utils.rest.BasicRestClientTest Time elapsed: 0.087 s <<< ERROR!
java.security.KeyManagementException: FIPS mode: only SunJSSE TrustManagers may be used
at com.cloud.utils.rest.BasicRestClientTest.setupClass(BasicRestClientTest.java:62)
Run.
INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null) (logid:) Loading module context [system] from URL [jar:file:/usr/share/cloudstack-management/lib/cloudstac
k-4.16.1.0.jar!/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml]
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/usr/share/cloudstack-management/lib/cloudstack-4.16.1.0.jar) to method java.lang.ClassLoa
der.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of net.sf.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
INFO [c.c.u.d.T.Transaction] (main:null) (logid:) Is Data Base High Availiability enabled? Ans : false
WARN [c.c.u.d.T.Transaction] (main:null) (logid:) Unable to load db configuration, using defaults with 5 connections. Falling back on assumed datasource on localhost:
3306 using username:password=cloud:<omitted>. Please check your configuration
org.jasypt.exceptions.EncryptionInitializationException: java.security.NoSuchAlgorithmException: PBEWithMD5AndDES SecretKeyFactory not available
at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.initialize(StandardPBEByteEncryptor.java:773)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.initialize(StandardPBEStringEncryptor.java:566)
at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:718)
at org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)
at org.jasypt.properties.EncryptableProperties.decode(EncryptableProperties.java:230)
at org.jasypt.properties.EncryptableProperties.getProperty(EncryptableProperties.java:172)
at com.cloud.utils.db.TransactionLegacy.initDataSource(TransactionLegacy.java:1034)
at com.cloud.utils.db.TransactionLegacy.<clinit>(TransactionLegacy.java:1008)
at com.cloud.utils.db.Merovingian2.<init>(Merovingian2.java:68)
at com.cloud.utils.db.Merovingian2.createLockController(Merovingian2.java:88)
at com.cloud.server.LockControllerListener.<init>(LockControllerListener.java:33)
... more
Caused by: com.mysql.cj.exceptions.SSLParamsException: Cannot open file:NONE [NONE (No such file or directory)]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
... 90 more
Caused by: java.io.FileNotFoundException: NONE (No such file or directory)
at java.base/java.io.FileInputStream.open0(Native Method)
at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
... 90 more
Upon checking, I found utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81, where PBEWithMD5AndDES is not FIPS compliant. I'm concerned there are also other spots to check that I can't check because it doesn't build which brings me to the extent of my knowledge.
FIPS compliance can be a stickler, because the core documentation isn't very clear from what I can find. Regarding PBEWithMD5AndDES, after a few searches, the most clear documentation on approved algorithms I could find was this (which is out of date with FIPS 140-3 existing, but probably still correct enough): https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
And additional resources that may prove useful:
https://github.com/jasypt/jasypt/blob/master/jasypt/src/main/java/org/jasypt/util/text/AES256TextEncryptor.java
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#cipher-algorithm-names
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
OS / ENVIRONMENT
RHEL 8 FIPS compliant system
SUMMARY
Cloudstack uses multiple instances of non-FIPS-compliant features. This makes it impossible to work with in a FIPS compliant environment.
STEPS TO REPRODUCE
On a FIPS compliant system, build as instructed in https://docs.cloudstack.apache.org/en/latest/installguide/building_from_source.html:
On a FIPS compliant RHEL8 system, install and run cloudstack-management.service from https://download.cloudstack.org/centos/8/4.16/ as instructed in https://docs.cloudstack.apache.org/en/latest/installguide/overview/index.html.
See #6232 for why I do the chown and chmod steps.
EXPECTED RESULTS
ACTUAL RESULTS
Build
Run.
Upon checking, I found utils/src/main/java/com/cloud/utils/crypt/DBEncryptionUtil.java#L81, where PBEWithMD5AndDES is not FIPS compliant. I'm concerned there are also other spots to check that I can't check because it doesn't build which brings me to the extent of my knowledge.
FIPS compliance can be a stickler, because the core documentation isn't very clear from what I can find. Regarding PBEWithMD5AndDES, after a few searches, the most clear documentation on approved algorithms I could find was this (which is out of date with FIPS 140-3 existing, but probably still correct enough): https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
And additional resources that may prove useful:
https://github.com/jasypt/jasypt/blob/master/jasypt/src/main/java/org/jasypt/util/text/AES256TextEncryptor.java
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#cipher-algorithm-names
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening