Bug #12606
closed
Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)
Description
After upgrading a Rudder server from 4.1.7 to 4.3.1 on SLES11SP3, the server does not accept inventories anymore:
[2018-05-09 06:25:05] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'server-root.ocs' [2018-05-09 06:25:05] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'server-root.ocs' parsed in 188 milliseconds ms, now checking signature [2018-05-09 06:25:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty) [2018-05-09 06:25:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found. [2018-05-09 06:30:04] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' [2018-05-09 06:30:05] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 165 milliseconds ms, now checking signature [2018-05-09 06:30:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty) [2018-05-09 06:30:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found. [2018-05-09 06:30:35] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' [2018-05-09 06:30:35] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 129 milliseconds ms, now checking signature [2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty) [2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found. [2018-05-09 06:30:35] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-de6b815d-5d59-48bc-88bd-2fcbe79b53cd.ocs' [2018-05-09 06:30:35] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent2-de6b815d-5d59-48bc-88bd-2fcbe79b53cd.ocs' parsed in 250 milliseconds ms, now checking signature [2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty) [2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found. [2018-05-09 06:35:04] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' [2018-05-09 06:35:04] INFO com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 70 milliseconds ms, now checking signature [2018-05-09 06:35:04] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty) [2018-05-09 06:35:04] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
# java -version java version "1.8.0_101" Java(TM) SE Runtime Environment (build 1.8.0_101-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
Workaround (also in comment 1 below):
- Edit $JAVA_HOME/jre/lib/security/java.security
- Look for lines like: security.provider.n=....
- Add a new line with n=previous max number+1 (for ex, if the last line starts with security.provider.9=... , use n=10):
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
Updated by François ARMAND over 7 years ago
- Description updated (diff)
- Target version changed from 4.3.2 to 4.1.12
There is seems to be something strange with the use of bouncy castle as a security provider here. I thought it could be linked to a change to be compatible with JDK 9/10 (https://www.rudder-project.org/redmine/issues/12557) but that one is not mergeyet.
So it is perhaps linked to the very old JDK version here.
In all cases, a workaround is to add bouncy castle as a provider in Java Security provider. That can be done in a config file until the bug is corrected:
Edit $JAVA_HOME/jre/lib/security/java.security
Look for lines like: security.provider.n=....
Add a new line with n=previous max number+1 (for ex, if the last line starts with security.provider.9=... , use n=10):
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
The bug was found in 4.3, but we need to check if it is not also in 4.1. And in all case, #12557 need to be check, perhaps it needs to include the Security.addProvider in bootstrap.
Updated by François ARMAND over 7 years ago
OK, this is stranger than I thought originally, because the error is in ldap-inventory, not rudder webapp. And we do have in inventory-provisioning-web/src/main/scala/com/normation/inventory/provisioning/endpoint/config/AppConfig.scala, first line in the class:
Security.addProvider(new BouncyCastleProvider());
It's like that since 2015-05-11 14:42:28, so nothing changed recently on that.
So, the next idea is that the provided JVM was not with security level "unlimited".
Could you please exec:
jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?
To know ?
Updated by François ARMAND over 7 years ago
- Subject changed from Cannot accept inventory updates in 4.3.1 (BouncyCstle cannot be found) to Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)
Test exectude, result = 1 => this is the problem.
I'm updating the ticket title accordingly.
The solution is to correctly document it, even if now, all JVM use unrestricted policy by default.
Updated by François ARMAND over 7 years ago
- Category set to Documentation
- Assignee set to François ARMAND
Updated by François ARMAND over 7 years ago
- Status changed from New to In progress
Updated by François ARMAND over 7 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-doc/pull/411
Updated by François ARMAND over 7 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-doc|a402c3e1ea6cae7caf2b25969139cc795ce67ce7.
Updated by Benoît PECCATTE over 7 years ago
Updated by François ARMAND over 7 years ago
- Related to Bug #12474: root node disapeared while upgrading from 4.1 to 4.3 on debian 9 added
Updated by François ARMAND over 7 years ago
- Description updated (diff)
- Priority changed from 94 to 92