[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

albertzaharovits · 2020-02-07T08:25:32Z

This reproduces on master!

./gradlew ':x-pack:plugin:ccr:qa:downgrade-to-basic-license:follow-clusterRunner' --tests "org.elasticsearch.xpack.ccr.FollowIndexIT.testDowngradeRemoteClusterToBasic" \
  -Dtests.seed=FD9650072FA219B4 \
  -Dtests.security.manager=true \
  -Dtests.locale=nl \
  -Dtests.timezone=Europe/Zurich \
  -Dcompiler.java=13 \
  -Dtests.fips.enabled=true

        java.security.NoSuchAlgorithmException: Unable to invoke creator for DEFAULT: Default key/trust managers unavailable	
            at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:388)	
            at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236)	
            at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164)	
            at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:184)	
            at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110)	
            at org.elasticsearch.client.RestClientBuilder.createHttpClient(RestClientBuilder.java:212)	
            ... 40 more	
            Caused by:	
            java.security.KeyManagementException: Default key/trust managers unavailable	
                at org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:88)	
                at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$7.createInstance(BouncyCastleJsseProvider.java:217)	
                at org.bouncycastle.jsse.provider.BouncyCastleJsseProvider$BcJsseService.newInstance(BouncyCastleJsseProvider.java:373)	
                ... 45 more	
                Caused by:	
                java.security.AccessControlException: access denied ("java.io.FilePermission" "/dev/shm/elastic+elasticsearch+master+matrix-java-periodic-fips/ES_BUILD_JAVA/openjdk13/ES_RUNTIME_JAVA/openjdk14/nodes/general-purpose/x-pack/plugin/ccr/qa/downgrade-to-basic-license/build/build-tools-exported/cacerts.bcfks" "read")	
                    at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)	
                    at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)	
                    at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)	
                    at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:747)	
                    at java.base/java.io.File.exists(File.java:818)	
                    at org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi.getDefaultTrustStore(ProvTrustManagerFactorySpi.java:49)	
                    at org.bouncycastle.jsse.provider.ProvSSLContextSpi.getDefaultTrustManagers(ProvSSLContextSpi.java:302)	
                    at org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers.<clinit>(DefaultSSLContextSpi.java:57)	
                    at org.bouncycastle.jsse.provider.DefaultSSLContextSpi.<init>(DefaultSSLContextSpi.java:86)	
                    ... 47 more

Build scans:
https://gradle-enterprise.elastic.co/s/wfh66uffpg4hy
https://gradle-enterprise.elastic.co/s/ppmoxjtf2cvby
https://gradle-enterprise.elastic.co/s/b6kyaeu7kqrfy

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-02-07T08:25:34Z

Pinging @elastic/es-distributed (:Distributed/CCR)

albertzaharovits · 2020-02-07T10:44:36Z

Ooops, I just realized the name of the job matrix-java-periodic-fips and that the FIPS tests are not in a good mood today.

elasticmachine · 2020-02-07T10:45:37Z

Pinging @elastic/es-security (:Security/Security)

albertzaharovits · 2020-02-07T10:46:03Z

cc @jkakavas

Our FIPS 140 testing depends on setting the appropriate java policy in order to configure the JVM in FIPS mode. Some tests ( discovery-ec2 and ccr qa ) also needed to set a custom policy file to grant a specific permission, which overwrote the FIPS related policy and tests would fail. This change ensures that when a custom policy needs to be set in these tests, the permissions that are necessary for FIPS are also set. Resolves: elastic#51685, elastic#52034

Our FIPS 140 testing depends on setting the appropriate java policy in order to configure the JVM in FIPS mode. Some tests ( discovery-ec2 and ccr qa ) also needed to set a custom policy file to grant a specific permission, which overwrote the FIPS related policy and tests would fail. This change ensures that when a custom policy needs to be set in these tests, the permissions that are necessary for FIPS are also set. Resolves: #51685, #52034

Our FIPS 140 testing depends on setting the appropriate java policy in order to configure the JVM in FIPS mode. Some tests ( discovery-ec2 and ccr qa ) also needed to set a custom policy file to grant a specific permission, which overwrote the FIPS related policy and tests would fail. This change ensures that when a custom policy needs to be set in these tests, the permissions that are necessary for FIPS are also set. Resolves: elastic#51685, elastic#52034

Our FIPS 140 testing depends on setting the appropriate java policy in order to configure the JVM in FIPS mode. Some tests ( discovery-ec2 and ccr qa ) also needed to set a custom policy file to grant a specific permission, which overwrote the FIPS related policy and tests would fail. This change ensures that when a custom policy needs to be set in these tests, the permissions that are necessary for FIPS are also set. Resolves: #51685, #52034

jkakavas · 2020-09-02T15:09:32Z

Resolved in #52046

albertzaharovits added >test-failure Triaged test failures from CI :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features labels Feb 7, 2020

albertzaharovits changed the title ~~FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context~~ [CI] FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context Feb 7, 2020

albertzaharovits mentioned this issue Feb 7, 2020

Mute FollowIndexIT testDowngradeRemoteClusterToBasic #52036

Closed

albertzaharovits added :Security/Security Security issues without another label and removed :Distributed Indexing/CCR Issues around the Cross Cluster State Replication features labels Feb 7, 2020

albertzaharovits changed the title ~~[CI] FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context~~ [CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context Feb 7, 2020

jkakavas mentioned this issue Feb 7, 2020

Fix custom policy in plugins in FIPS 140 #52046

Merged

rjernst added the Team:Security Meta label for security team label May 4, 2020

tvernum assigned jkakavas Aug 27, 2020

jkakavas closed this as completed Sep 2, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

albertzaharovits commented Feb 7, 2020

elasticmachine commented Feb 7, 2020

albertzaharovits commented Feb 7, 2020

elasticmachine commented Feb 7, 2020

albertzaharovits commented Feb 7, 2020

jkakavas commented Sep 2, 2020

[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

[CI] FIPS FollowIndexIT testDowngradeRemoteClusterToBasic failure to recreate SSL context #52034

Comments

albertzaharovits commented Feb 7, 2020

elasticmachine commented Feb 7, 2020

albertzaharovits commented Feb 7, 2020

elasticmachine commented Feb 7, 2020

albertzaharovits commented Feb 7, 2020

jkakavas commented Sep 2, 2020