Project

General

Profile

Bug #12606

Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)

Added by Alexis MOUSSET 7 months ago. Updated 5 months ago.

Status:
Released
Priority:
N/A
Category:
Documentation
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Priority:
92

Description

After upgrading a Rudder server from 4.1.7 to 4.3.1 on SLES11SP3, the server does not accept inventories anymore:

[2018-05-09 06:25:05] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'server-root.ocs'
[2018-05-09 06:25:05] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'server-root.ocs' parsed in 188 milliseconds ms, now checking signature
[2018-05-09 06:25:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty)
[2018-05-09 06:25:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
[2018-05-09 06:30:04] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs'
[2018-05-09 06:30:05] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 165 milliseconds ms, now checking signature
[2018-05-09 06:30:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty)
[2018-05-09 06:30:05] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
[2018-05-09 06:30:35] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs'
[2018-05-09 06:30:35] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 129 milliseconds ms, now checking signature
[2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty)
[2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
[2018-05-09 06:30:35] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent2-de6b815d-5d59-48bc-88bd-2fcbe79b53cd.ocs'
[2018-05-09 06:30:35] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent2-de6b815d-5d59-48bc-88bd-2fcbe79b53cd.ocs' parsed in 250 milliseconds ms, now checking signature
[2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty)
[2018-05-09 06:30:35] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
[2018-05-09 06:35:04] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - New input inventory: 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs'
[2018-05-09 06:35:04] INFO  com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Inventory 'agent1-2dc769fa-a7c0-4733-ad2e-08b9046b20b6.ocs' parsed in 70 milliseconds ms, now checking signature
[2018-05-09 06:35:04] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Failure(class configured for Signature (provider: BC) cannot be found.,Empty,Empty)
[2018-05-09 06:35:04] ERROR com.normation.inventory.provisioning.endpoint.FusionReportEndpoint - Error when trying to check inventory signature <- class configured for Signature (provider: BC) cannot be found.
# java -version
java version "1.8.0_101" 
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

Workaround (also in comment 1 below):

- Edit $JAVA_HOME/jre/lib/security/java.security
- Look for lines like: security.provider.n=....
- Add a new line with n=previous max number+1 (for ex, if the last line starts with security.provider.9=... , use n=10):

security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

Related issues

Related to Rudder - Bug #12474: root node disapeared while upgrading from 4.1 to 4.3 on debian 9Released

Associated revisions

Revision a402c3e1 (diff)
Added by François ARMAND 7 months ago

Fixes #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)

History

#1 Updated by François ARMAND 7 months ago

  • Description updated (diff)
  • Target version changed from 4.3.2 to 4.1.12

There is seems to be something strange with the use of bouncy castle as a security provider here. I thought it could be linked to a change to be compatible with JDK 9/10 (https://www.rudder-project.org/redmine/issues/12557) but that one is not mergeyet.

So it is perhaps linked to the very old JDK version here.

In all cases, a workaround is to add bouncy castle as a provider in Java Security provider. That can be done in a config file until the bug is corrected:

Edit $JAVA_HOME/jre/lib/security/java.security
Look for lines like: security.provider.n=....
Add a new line with n=previous max number+1 (for ex, if the last line starts with security.provider.9=... , use n=10):

security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

The bug was found in 4.3, but we need to check if it is not also in 4.1. And in all case, #12557 need to be check, perhaps it needs to include the Security.addProvider in bootstrap.

#2 Updated by François ARMAND 7 months ago

OK, this is stranger than I thought originally, because the error is in ldap-inventory, not rudder webapp. And we do have in inventory-provisioning-web/src/main/scala/com/normation/inventory/provisioning/endpoint/config/AppConfig.scala, first line in the class:

Security.addProvider(new BouncyCastleProvider());

It's like that since 2015-05-11 14:42:28, so nothing changed recently on that.

So, the next idea is that the provided JVM was not with security level "unlimited".

Could you please exec:

jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?

To know ?

#3 Updated by François ARMAND 7 months ago

  • Subject changed from Cannot accept inventory updates in 4.3.1 (BouncyCstle cannot be found) to Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)

Test exectude, result = 1 => this is the problem.

I'm updating the ticket title accordingly.

The solution is to correctly document it, even if now, all JVM use unrestricted policy by default.

#4 Updated by François ARMAND 7 months ago

  • Category set to Documentation
  • Assignee set to François ARMAND

#5 Updated by François ARMAND 7 months ago

  • Status changed from New to In progress

#6 Updated by François ARMAND 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Alexis MOUSSET
  • Pull Request set to https://github.com/Normation/rudder-doc/pull/411

#7 Updated by François ARMAND 7 months ago

  • Status changed from Pending technical review to Pending release

#8 Updated by Benoît PECCATTE 6 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.1.12, 4.2.6 and 4.3.1 which were released today.

#9 Updated by François ARMAND 5 months ago

  • Related to Bug #12474: root node disapeared while upgrading from 4.1 to 4.3 on debian 9 added

#10 Updated by François ARMAND 5 months ago

  • Description updated (diff)
  • Priority changed from 94 to 92

Also available in: Atom PDF