Thread: Can you install/run postgresql on a FIPS enabled host?
We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfully run postgreql on a FIPS enabled host?
We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption = scram-sha-256
And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host, everything works fine.
I’m having a hard time finding any FIPS guidance for postgresql from googling. If anyone has any guidance or has gotten this to work, that would be most helpful.
Thank you,
Becky McDermott
On 3/21/22 15:15, McDermott, Becky wrote: > We have a requirement to run all of our applications on FIPS enabled > hosts. Is it possible to install and successfully run postgreql on a > FIPS enabled host? > > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 > > And none of our Java clients can connect to the postgresql database. If > we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? > > I’m having a hard time finding any FIPS guidance for postgresql from > googling. If anyone has any guidance or has gotten this to work, that > would be most helpful. > > Thank you, > > *Becky McDermott* > -- Adrian Klaver adrian.klaver@aklaver.com
"McDermott, Becky" <bmcderm@sandia.gov> writes: > We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfullyrun postgreql on a FIPS enabled host? We do test that case from time to time, but not regularly. > We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption= scram-sha-256 > And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host,everything works fine. It sounds like something thinks that scram-sha-256 encryption is disallowed by FIPS. That may or may not be accurate. If it's supposed to be allowed, you'd need to poke a little harder to narrow down where the problem is. (Digging in our commit logs, it looks like version 14.2 has some changes that might make this work better than it did in older versions; but I can't tell from the log messages whether the issue being fixed was new-in-14 or not.) regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
Version 12.7 -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:25 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:15, McDermott, Becky wrote: > We have a requirement to run all of our applications on FIPS enabled > hosts. Is it possible to install and successfully run postgreql on a > FIPS enabled host? > > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 > > And none of our Java clients can connect to the postgresql database. > If we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? > > I’m having a hard time finding any FIPS guidance for postgresql from > googling. If anyone has any guidance or has gotten this to work, that > would be most helpful. > > Thank you, > > *Becky McDermott* > -- Adrian Klaver adrian.klaver@aklaver.com
On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, that >> would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
So the logs for one of our Java servers that is attempting to connect to postgres is showing: Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate so perhapsthe underlying problem is there? java.sql.SQLException: Connections could not be acquired from the underlying database! at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118) ~[mchange-commons-java-0.2.19.jar:0.2.19] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140) ~[c3p0-0.9.5.5.jar:0.9.5.5] at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72) ~[hibernate-c3p0-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180) ~[hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:35) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:101) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.id.factory.internal.DefaultIdentifierGeneratorFactory.injectServices(DefaultIdentifierGeneratorFactory.java:152) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.injectDependencies(AbstractServiceRegistryImpl.java:286) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:243) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.<init>(InFlightMetadataCollectorImpl.java:176) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:127) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1224) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1255) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79) [javax.persistence-api-2.2.jar:2.2] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30) [frameworks-osd-repository-LATEST.jar:?] at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12) [frameworks-osd-service-LATEST.jar:?] Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from itsprimary factory or source. at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685) ~[c3p0-0.9.5.5.jar:0.9.5.5] ... 23 more Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report thisexception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256 at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.secretKeyFactory(ScramMechanisms.java:151) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:61) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:198) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:165) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:132) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.jre8.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:131) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:678) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.Driver.makeConnection(Driver.java:454) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.Driver.connect(Driver.java:256) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1908) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] 2022-03-21 22:40:22,878 INFO org.hibernate.dialect.Dialect [main] HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL95Dialect -----Original Message----- From: Tom Lane <tgl@sss.pgh.pa.us> Sent: Monday, March 21, 2022 4:33 PM To: McDermott, Becky <bmcderm@sandia.gov> Cc: pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? "McDermott, Becky" <bmcderm@sandia.gov> writes: > We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfullyrun postgreql on a FIPS enabled host? We do test that case from time to time, but not regularly. > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the postgresqldatabase. If we run postgresql on a non-FIPS enabled host, everything works fine. It sounds like something thinks that scram-sha-256 encryption is disallowed by FIPS. That may or may not be accurate. Ifit's supposed to be allowed, you'd need to poke a little harder to narrow down where the problem is. (Digging in our commit logs, it looks like version 14.2 has some changes that might make this work better than it did inolder versions; but I can't tell from the log messages whether the issue being fixed was new-in-14 or not.) regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
I will have to find out the JDBC version. None of the containers will start (because of the database connection error) soI have to track down that version with one of our developers (I am on the platform team so not so well versed in the actualcode). Will get back with that version. -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
It looks like jdbc-1.15.2.jar -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
On 3/21/22 16:55, McDermott, Becky wrote: > It looks like jdbc-1.15.2.jar Named in the stack trace: postgresql-42.2.5.jar
"McDermott, Becky" <bmcderm@sandia.gov> writes: > So the logs for one of our Java servers that is attempting to connect to postgres is showing: > Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate soperhaps the underlying problem is there? This definitely looks like the problem is on the client side not the server side. It might be worth asking on pgsql-jdbc to see if it's that driver or not; but it could be coming from somewhere else in the Java ecosystem. regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simple waywith a username/password. If this works, then the database is fine and it would definitely point to a java issue. Thanks! -----Original Message----- From: Tom Lane <tgl@sss.pgh.pa.us> Sent: Monday, March 21, 2022 4:59 PM To: McDermott, Becky <bmcderm@sandia.gov> Cc: pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? "McDermott, Becky" <bmcderm@sandia.gov> writes: > So the logs for one of our Java servers that is attempting to connect to postgres is showing: > Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate soperhaps the underlying problem is there? This definitely looks like the problem is on the client side not the server side. It might be worth asking on pgsql-jdbcto see if it's that driver or not; but it could be coming from somewhere else in the Java ecosystem. regards, tom lane
On 3/21/22 17:02, McDermott, Becky wrote: > Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simpleway with a username/password. If this works, then the database is fine and it would definitely point to a java issue. > > Thanks! I liked your original theory: That stack trace message is rather adamant. Is there any indication that PBKDF2 and SCRAM-SHA-256 should play nice? Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report thisexception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
I am a bit out of my element. I don't even know where PDKDF2 is coming from. I just confirmed that I can connect from one pod with psql installed to the postgres pod with a straight up "psql -h posgtgresql-gms-p 5432 -d mydb -U gms_read_only" and then I can run queries just fine. So there is something on the Javaside that is not connecting correctly. Thank you everyone. This was helpful. -----Original Message----- From: Rob Sargent <robjsargent@gmail.com> Sent: Monday, March 21, 2022 5:08 PM To: pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 17:02, McDermott, Becky wrote: > Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simpleway with a username/password. If this works, then the database is fine and it would definitely point to a java issue. > > Thanks! I liked your original theory: That stack trace message is rather adamant. Is there any indication that PBKDF2 and SCRAM-SHA-256 should play nice? Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report thisexception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
On Mon, Mar 21, 2022 at 06:33:29PM -0400, Tom Lane wrote: > It sounds like something thinks that scram-sha-256 encryption is > disallowed by FIPS. That may or may not be accurate. If it's > supposed to be allowed, you'd need to poke a little harder to > narrow down where the problem is. > > (Digging in our commit logs, it looks like version 14.2 has some > changes that might make this work better than it did in older > versions; but I can't tell from the log messages whether the > issue being fixed was new-in-14 or not.) I guess that 3a0cced is the commit you are talking about here. Please note that it has been reverted in ad5b6f2 due to ABI concerns with some of the MD5 hashing routines. -- Michael