Errors in secureRandom #1453

vipulbehalpande08 · 2023-07-17T22:34:31Z

vipulbehalpande08
Jul 17, 2023

Hi Team,

I've been trying to configure bouncy castle for cassandra on jdk1.8. And I used below configuration by modifying existing java.security and java.policy file. And passing bc-fips-1.0.2.1.jar, bctls-fips-1.0.12.jar, bcpkix-fips-1.0.5.jar in classpath while starting cassandra.
But I am getting errors in secureRandom SHA MessageDigest. Please find attached config & error log below.
Do I need any additional configuration?

---- java.security file -----------------

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=sun.security.provider.Sun
security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS

securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN
keystore.type=BCFKS

ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

---- java.policy ----------------------

permission java.lang.RuntimePermission "getProtectionDomain";
// In order to check config properties
permission java.util.PropertyPermission "java.runtime.name", "read";
// BC module makes use of reflection
permission java.lang.RuntimePermission "accessDeclaredMembers";
// For installing JCA/JCE provider
permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
// For installing JSSE provider
permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
// For running JSSE in FIPS mode pre java 8, added for caution
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
// SSL Support
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
permission java.security.SecurityPermission "crypto.policy.BCFIPS";

-------- Error logs -----------
cassandra[19168]: ERROR [main] 2023-07-17 22:09:56,108 CassandraDaemon.java:803 - Exception encountered during startup
cassandra[19168]: java.lang.InternalError: internal error: SHA-1 not available.
cassandra[19168]: at sun.security.provider.SecureRandom.init(SecureRandom.java:108)
cassandra[19168]: at sun.security.provider.SecureRandom.(SecureRandom.java:79)
cassandra[19168]: at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:198)
cassandra[19168]: at java.security.SecureRandom.(SecureRandom.java:162)
cassandra[19168]: at java.rmi.server.UID.(UID.java:112)
cassandra[19168]: at java.rmi.server.ObjID.(ObjID.java:88)
cassandra[19168]: at sun.rmi.registry.RegistryImpl.(RegistryImpl.java:90)
cassandra[19168]: at org.apache.cassandra.utils.JMXServerUtils.createJMXServer(JMXServerUtils.java:80)
cassandra[19168]: at org.apache.cassandra.service.CassandraDaemon.maybeInitJmx(CassandraDaemon.java:159)
cassandra[19168]: at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.java:204)
cassandra[19168]: at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon.java:633)
cassandra[19168]: at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.java:786)
cassandra[19168]: Caused by: java.security.NoSuchAlgorithmException: SHA MessageDigest not available
cassandra[19168]: at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
cassandra[19168]: at java.security.Security.getImpl(Security.java:695)
cassandra[19168]: at java.security.MessageDigest.getInstance(MessageDigest.java:170)
cassandra[19168]: at sun.security.provider.SecureRandom.init(SecureRandom.java:106)
cassandra[19168]: ... 11 common frames omitted

Answered by dghgit

Aug 29, 2023

Try it without the security manager first. SHA-1 has been in the BCFIPS provider since 2016, so it's either a security manager issue, or the provider is not getting found. Using -Djava.security.debug=provider might provider a more complete answer.

I'd also add try using BC-FJA 1.0.2.4. Oracle did change the way security providers were loaded after 1.0.2.1 came out. You may be seeing an issue related to how the old module interacts with that.

View full answer

dghgit · 2023-08-29T04:58:09Z

dghgit
Aug 29, 2023
Maintainer

Try it without the security manager first. SHA-1 has been in the BCFIPS provider since 2016, so it's either a security manager issue, or the provider is not getting found. Using -Djava.security.debug=provider might provider a more complete answer.

I'd also add try using BC-FJA 1.0.2.4. Oracle did change the way security providers were loaded after 1.0.2.1 came out. You may be seeing an issue related to how the old module interacts with that.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Errors in secureRandom #1453

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Errors in secureRandom #1453

vipulbehalpande08 Jul 17, 2023

Replies: 1 comment

dghgit Aug 29, 2023 Maintainer

vipulbehalpande08
Jul 17, 2023

dghgit
Aug 29, 2023
Maintainer