https://issues.rudder.io/https://issues.rudder.io/themes/rudder7/favicon/favicon.ico?17096450182018-05-09T09:04:52ZIssue TrackerRudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915022018-05-09T09:04:52ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/91502/diff?detail_id=117099">diff</a>)</li><li><strong>Target version</strong> changed from <i>4.3.2</i> to <i>4.1.12</i></li></ul><p>There is seems to be something strange with the use of bouncy castle as a security provider here. I thought it could be linked to a change to be compatible with JDK 9/10 (<a class="external" href="https://www.rudder-project.org/redmine/issues/12557">https://www.rudder-project.org/redmine/issues/12557</a>) but that one is not mergeyet.</p>
<p>So it is perhaps linked to the very old JDK version here.</p>
<p>In all cases, a workaround is to add bouncy castle as a provider in Java Security provider. That can be done in a config file until the bug is corrected:</p>
<p>Edit <strong>$JAVA_HOME/jre/lib/security/java.security</strong><br />Look for lines like: <strong>security.provider.n=....</strong> <br />Add a new line with n=previous max number+1 (for ex, if the last line starts with security.provider.9=... , use n=10):</p>
<pre>
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
</pre>
<p>The bug was found in 4.3, but we need to check if it is not also in 4.1. And in all case, <a class="issue tracker-1 status-5 priority-16 priority-default closed" title="Bug: Java 9 / Java 10 compatibility: javax/xml/bind removed (Released)" href="https://issues.rudder.io/issues/12557">#12557</a> need to be check, perhaps it needs to include the Security.addProvider in bootstrap.</p> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915032018-05-09T11:15:04ZFrançois ARMANDfrancois.armand@rudder.io
<ul></ul><p>OK, this is stranger than I thought originally, because the error is in ldap-inventory, not rudder webapp. And we do have in <strong>inventory-provisioning-web/src/main/scala/com/normation/inventory/provisioning/endpoint/config/AppConfig.scala</strong>, first line in the class:</p>
<pre>
Security.addProvider(new BouncyCastleProvider());
</pre>
<p>It's like that since 2015-05-11 14:42:28, so nothing changed recently on that.</p>
<p>So, the next idea is that the provided JVM was not with security level "unlimited".</p>
<p>Could you please exec:</p>
<pre>
jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?
</pre>
<p>To know ?</p> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915042018-05-09T11:18:52ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Subject</strong> changed from <i>Cannot accept inventory updates in 4.3.1 (BouncyCstle cannot be found)</i> to <i>Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)</i></li></ul><p>Test exectude, result = 1 => this is the problem.</p>
<p>I'm updating the ticket title accordingly.</p>
<p>The solution is to correctly document it, even if now, all JVM use unrestricted policy by default.</p> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915052018-05-09T11:21:37ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Category</strong> set to <i>Documentation</i></li><li><strong>Assignee</strong> set to <i>François ARMAND</i></li></ul> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915062018-05-09T11:22:23ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In progress</i></li></ul> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915072018-05-09T11:38:55ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Status</strong> changed from <i>In progress</i> to <i>Pending technical review</i></li><li><strong>Assignee</strong> changed from <i>François ARMAND</i> to <i>Alexis Mousset</i></li><li><strong>Pull Request</strong> set to <i>https://github.com/Normation/rudder-doc/pull/411</i></li></ul><p>PR <a class="external" href="https://github.com/Normation/rudder-doc/pull/411">https://github.com/Normation/rudder-doc/pull/411</a></p> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=915632018-05-14T07:25:38ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Status</strong> changed from <i>Pending technical review</i> to <i>Pending release</i></li></ul><p>Applied in changeset <a class="changeset" title="Fixes #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider..." href="https://issues.rudder.io/projects/rudder/repository/rudder-doc/revisions/a402c3e1ea6cae7caf2b25969139cc795ce67ce7">rudder-doc|a402c3e1ea6cae7caf2b25969139cc795ce67ce7</a>.</p> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=927442018-05-29T08:16:09ZBenoît PECCATTEbenoit.peccatte@rudder.io
<ul><li><strong>Status</strong> changed from <i>Pending release</i> to <i>Released</i></li></ul><p>This bug has been fixed in Rudder 4.1.12, 4.2.6 and 4.3.1 which were released today.</p>
<ul>
<li>4.1.12: <a href="http://www.rudder-project.org/pipermail/rudder-announce/2018-May/000272.html" class="external">Announce</a> <a href="http://www.rudder-project.org/changelog-4.1#4.1.12" class="external">Changelog</a></li>
<li>4.2.6: <a href="http://www.rudder-project.org/pipermail/rudder-announce/2018-May/000273.html" class="external">Announce</a> <a href="http://www.rudder-project.org/changelog-4.2#4.2.6" class="external">Changelog</a></li>
<li>4.3.1: <a href="http://www.rudder-project.org/pipermail/rudder-announce/2018-May/000271.html" class="external">Announce</a> <a href="http://www.rudder-project.org/changelog-4.3#4.3.1" class="external">Changelog</a></li>
<li>Download: <a class="external" href="https://www.rudder-project.org/site/get-rudder/downloads/">https://www.rudder-project.org/site/get-rudder/downloads/</a></li>
</ul> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=946552018-07-16T10:59:27ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-16 priority-default closed parent" href="/issues/12474">Bug #12474</a>: root node disapeared while upgrading from 4.1 to 4.3 on debian 9</i> added</li></ul> Rudder - Bug #12606: Restricted java security policy breaks Rudder (class configured for Cipher(provider: BC)cannot be found)https://issues.rudder.io/issues/12606?journal_id=946562018-07-16T11:05:34ZFrançois ARMANDfrancois.armand@rudder.io
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/94656/diff?detail_id=121284">diff</a>)</li><li><strong>Priority</strong> changed from <i>94</i> to <i>92</i></li></ul>