Thread: Can you install/run postgresql on a FIPS enabled host?
We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfully run postgreql on a FIPS enabled host?
We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption = scram-sha-256
And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host, everything works fine.
I’m having a hard time finding any FIPS guidance for postgresql from googling. If anyone has any guidance or has gotten this to work, that would be most helpful.
Thank you,
Becky McDermott
On 3/21/22 15:15, McDermott, Becky wrote: > We have a requirement to run all of our applications on FIPS enabled > hosts. Is it possible to install and successfully run postgreql on a > FIPS enabled host? > > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 > > And none of our Java clients can connect to the postgresql database. If > we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? > > I’m having a hard time finding any FIPS guidance for postgresql from > googling. If anyone has any guidance or has gotten this to work, that > would be most helpful. > > Thank you, > > *Becky McDermott* > -- Adrian Klaver adrian.klaver@aklaver.com
"McDermott, Becky" <bmcderm@sandia.gov> writes:
> We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and
successfullyrun postgreql on a FIPS enabled host?
We do test that case from time to time, but not regularly.
> We currently run postgres ina container that is executing on a FIPS enabled host with the setting:
password_encryption= scram-sha-256
> And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled
host,everything works fine.
It sounds like something thinks that scram-sha-256 encryption is
disallowed by FIPS. That may or may not be accurate. If it's
supposed to be allowed, you'd need to poke a little harder to
narrow down where the problem is.
(Digging in our commit logs, it looks like version 14.2 has some
changes that might make this work better than it did in older
versions; but I can't tell from the log messages whether the
issue being fixed was new-in-14 or not.)
regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
Version 12.7 -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:25 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:15, McDermott, Becky wrote: > We have a requirement to run all of our applications on FIPS enabled > hosts. Is it possible to install and successfully run postgreql on a > FIPS enabled host? > > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 > > And none of our Java clients can connect to the postgresql database. > If we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? > > I’m having a hard time finding any FIPS guidance for postgresql from > googling. If anyone has any guidance or has gotten this to work, that > would be most helpful. > > Thank you, > > *Becky McDermott* > -- Adrian Klaver adrian.klaver@aklaver.com
On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, that >> would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
So the logs for one of our Java servers that is attempting to connect to postgres is showing:
Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate so
perhapsthe underlying problem is there?
java.sql.SQLException: Connections could not be acquired from the underlying database!
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118) ~[mchange-commons-java-0.2.19.jar:0.2.19]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72)
~[hibernate-c3p0-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180)
~[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:35)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:101)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.id.factory.internal.DefaultIdentifierGeneratorFactory.injectServices(DefaultIdentifierGeneratorFactory.java:152)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.injectDependencies(AbstractServiceRegistryImpl.java:286)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:243)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.<init>(InFlightMetadataCollectorImpl.java:176)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:127)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1224)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1255)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at
org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56)
[hibernate-core-5.4.30.Final.jar:5.4.30.Final]
at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79)
[javax.persistence-api-2.2.jar:2.2]
at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73)
[frameworks-osd-daos-LATEST.jar:?]
at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52)
[frameworks-osd-daos-LATEST.jar:?]
at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30)
[frameworks-osd-repository-LATEST.jar:?]
at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12)
[frameworks-osd-service-LATEST.jar:?]
Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from
itsprimary factory or source.
at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685)
~[c3p0-0.9.5.5.jar:0.9.5.5]
... 23 more
Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report
thisexception.
at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5]
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)
~[mchange-commons-java-0.2.19.jar:0.2.19]
Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.secretKeyFactory(ScramMechanisms.java:151)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:61)
~[postgresql-42.2.5.jar:42.2.5]
at
org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:198)
~[postgresql-42.2.5.jar:42.2.5]
at
org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:165)
~[postgresql-42.2.5.jar:42.2.5]
at
org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:132)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.jre8.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:131)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:678)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) ~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.Driver.makeConnection(Driver.java:454) ~[postgresql-42.2.5.jar:42.2.5]
at org.postgresql.Driver.connect(Driver.java:256) ~[postgresql-42.2.5.jar:42.2.5]
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1908)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)
~[mchange-commons-java-0.2.19.jar:0.2.19]
2022-03-21 22:40:22,878 INFO org.hibernate.dialect.Dialect [main] HHH000400: Using dialect:
org.hibernate.dialect.PostgreSQL95Dialect
-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Monday, March 21, 2022 4:33 PM
To: McDermott, Becky <bmcderm@sandia.gov>
Cc: pgsql-general@lists.postgresql.org
Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
"McDermott, Becky" <bmcderm@sandia.gov> writes:
> We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and
successfullyrun postgreql on a FIPS enabled host?
We do test that case from time to time, but not regularly.
> We currently run postgres ina container that is executing on a FIPS
> enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the
postgresqldatabase. If we run postgresql on a non-FIPS enabled host, everything works fine.
It sounds like something thinks that scram-sha-256 encryption is disallowed by FIPS. That may or may not be accurate.
Ifit's supposed to be allowed, you'd need to poke a little harder to narrow down where the problem is.
(Digging in our commit logs, it looks like version 14.2 has some changes that might make this work better than it did
inolder versions; but I can't tell from the log messages whether the issue being fixed was new-in-14 or not.)
regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
I will have to find out the JDBC version. None of the containers will start (because of the database connection error) soI have to track down that version with one of our developers (I am on the platform team so not so well versed in the actualcode). Will get back with that version. -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
It looks like jdbc-1.15.2.jar -----Original Message----- From: Adrian Klaver <adrian.klaver@aklaver.com> Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky <bmcderm@sandia.gov>; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -----Original Message----- > From: Adrian Klaver <adrian.klaver@aklaver.com> > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky <bmcderm@sandia.gov>; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com -- Adrian Klaver adrian.klaver@aklaver.com
On 3/21/22 16:55, McDermott, Becky wrote: > It looks like jdbc-1.15.2.jar Named in the stack trace: postgresql-42.2.5.jar
"McDermott, Becky" <bmcderm@sandia.gov> writes:
> So the logs for one of our Java servers that is attempting to connect to postgres is showing:
> Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate
soperhaps the underlying problem is there?
This definitely looks like the problem is on the client side not the
server side. It might be worth asking on pgsql-jdbc to see if it's
that driver or not; but it could be coming from somewhere else in
the Java ecosystem.
regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simple
waywith a username/password. If this works, then the database is fine and it would definitely point to a java issue.
Thanks!
-----Original Message-----
From: Tom Lane <tgl@sss.pgh.pa.us>
Sent: Monday, March 21, 2022 4:59 PM
To: McDermott, Becky <bmcderm@sandia.gov>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
"McDermott, Becky" <bmcderm@sandia.gov> writes:
> So the logs for one of our Java servers that is attempting to connect to postgres is showing:
> Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate
soperhaps the underlying problem is there?
This definitely looks like the problem is on the client side not the server side. It might be worth asking on
pgsql-jdbcto see if it's that driver or not; but it could be coming from somewhere else in the Java ecosystem.
regards, tom lane
On 3/21/22 17:02, McDermott, Becky wrote:
> Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a
simpleway with a username/password. If this works, then the database is fine and it would definitely point to a java
issue.
>
> Thanks!
I liked your original theory:
That stack trace message is rather adamant. Is there any indication
that PBKDF2 and SCRAM-SHA-256 should play nice?
Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report
thisexception.
at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5]
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)
~[mchange-commons-java-0.2.19.jar:0.2.19]
Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
From
"McDermott, Becky"
Date:
I am a bit out of my element. I don't even know where PDKDF2 is coming from.
I just confirmed that I can connect from one pod with psql installed to the postgres pod with a straight up "psql -h
posgtgresql-gms-p 5432 -d mydb -U gms_read_only" and then I can run queries just fine. So there is something on the
Javaside that is not connecting correctly.
Thank you everyone. This was helpful.
-----Original Message-----
From: Rob Sargent <robjsargent@gmail.com>
Sent: Monday, March 21, 2022 5:08 PM
To: pgsql-general@lists.postgresql.org
Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
On 3/21/22 17:02, McDermott, Becky wrote:
> Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a
simpleway with a username/password. If this works, then the database is fine and it would definitely point to a java
issue.
>
> Thanks!
I liked your original theory:
That stack trace message is rather adamant. Is there any indication that PBKDF2 and SCRAM-SHA-256 should play nice?
Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report
thisexception.
at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5]
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at
com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163)
~[c3p0-0.9.5.5.jar:0.9.5.5]
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)
~[mchange-commons-java-0.2.19.jar:0.2.19]
Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
On Mon, Mar 21, 2022 at 06:33:29PM -0400, Tom Lane wrote: > It sounds like something thinks that scram-sha-256 encryption is > disallowed by FIPS. That may or may not be accurate. If it's > supposed to be allowed, you'd need to poke a little harder to > narrow down where the problem is. > > (Digging in our commit logs, it looks like version 14.2 has some > changes that might make this work better than it did in older > versions; but I can't tell from the log messages whether the > issue being fixed was new-in-14 or not.) I guess that 3a0cced is the commit you are talking about here. Please note that it has been reverted in ad5b6f2 due to ABI concerns with some of the MD5 hashing routines. -- Michael