Thread: JDBC-Platform error: unsupported key for HMAC algorithm

JDBC-Platform error: unsupported key for HMAC algorithm

From
"James Pang (chaolpan)"
Date:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support FIPS mode to connect to Postgresql database ?

 

Thanks,

 

James

 

 

 

 

RE: JDBC-Platform error: unsupported key for HMAC algorithm

From
"James Pang (chaolpan)"
Date:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 

 

 

 

Re: JDBC-Platform error: unsupported key for HMAC algorithm

From
Dave Cramer
Date:
Hello,

Can you provide more information?

Which keys are you using, etc?

TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.

I need more detailed information however such as how the keys were created and presented to the driver.


Dave

Dave Cramer
www.postgres.rocks


On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 

 

 

 

RE: JDBC-Platform error: unsupported key for HMAC algorithm

From
"James Pang (chaolpan)"
Date:

Hi,

Sorry, clarify again ,    We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled  and disabled.  

We use Tomcat connection pool + Postgresql JDBC 42.3.3 ,  Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver.   For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2.    For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.

 

With RHEL8 FIPS enabled , tomcat logs show:

      22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]

   With RHEL8 FIPS not enabled, no  FIPS keyword from tomcat.

   

This is Java tomcat config  running in Kubed POD with RHEL8 FIPS mode.

 

{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}

 

[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

 

  For keystore details, no detail yet, will check and update then.  From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.

 

Thanks,

 

James

 

 

From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hello,

 

Can you provide more information?

 

Which keys are you using, etc?

 

TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.

 

I need more detailed information however such as how the keys were created and presented to the driver.

 

 

Dave


 

 

On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 

 

 

 

RE: JDBC-Platform error: unsupported key for HMAC algorithm

From
"James Pang (chaolpan)"
Date:

Attached Tomcat error log too.

 

From: James Pang (chaolpan)
Sent: Wednesday, June 22, 2022 8:51 PM
To: Dave Cramer <davecramer@postgres.rocks>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: RE: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hi,

Sorry, clarify again ,    We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled  and disabled.  

We use Tomcat connection pool + Postgresql JDBC 42.3.3 ,  Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver.   For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2.    For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.

 

With RHEL8 FIPS enabled , tomcat logs show:

      22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]

   With RHEL8 FIPS not enabled, no  FIPS keyword from tomcat.

   

This is Java tomcat config  running in Kubed POD with RHEL8 FIPS mode.

 

{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}

 

[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

 

  For keystore details, no detail yet, will check and update then.  From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.

 

Thanks,

 

James

 

 

From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hello,

 

Can you provide more information?

 

Which keys are you using, etc?

 

TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.

 

I need more detailed information however such as how the keys were created and presented to the driver.

 

 

Dave


 

 

On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 

 

 

 

Attachment

RE: JDBC-Platform error: unsupported key for HMAC algorithm

From
"James Pang (chaolpan)"
Date:

Attached updated Tomcat error log too.

 

From: James Pang (chaolpan)
Sent: Wednesday, June 22, 2022 8:51 PM
To: Dave Cramer <davecramer@postgres.rocks>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: RE: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hi,

Sorry, clarify again ,    We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled  and disabled.  

We use Tomcat connection pool + Postgresql JDBC 42.3.3 ,  Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver.   For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2.    For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.

 

With RHEL8 FIPS enabled , tomcat logs show:

      22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]

   With RHEL8 FIPS not enabled, no  FIPS keyword from tomcat.

   

This is Java tomcat config  running in Kubed POD with RHEL8 FIPS mode.

 

{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}

 

[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

 

  For keystore details, no detail yet, will check and update then.  From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.

 

Thanks,

 

James

 

 

From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hello,

 

Can you provide more information?

 

Which keys are you using, etc?

 

TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.

 

I need more detailed information however such as how the keys were created and presented to the driver.

 

 

Dave


 

 

On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 

 

 

 

Attachment

Re: JDBC-Platform error: unsupported key for HMAC algorithm

From
Dave Cramer
Date:



On Wed, 22 Jun 2022 at 08:51, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

Sorry, clarify again ,    We did not enforce FIPS yet from JVM side , only use different RHEL8 FIPS enabled  and disabled.  

We use Tomcat connection pool + Postgresql JDBC 42.3.3 ,  Tomcat running in Kubernetes, the OS image is RHEL 8, same Tomcat config ,same JDBC driver.   For tomcat running on RHEL8 disable FIPS, it’s ok to connect to Postgresql database with TLSv1.2.    For tomcat running on RHEL8 enable FIPS, it failed to connect to database ,as below error.

 

With RHEL8 FIPS enabled , tomcat logs show:

      22-Jun-2022 08:37:05.182 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k FIPS 25 Mar 2021]

   With RHEL8 FIPS not enabled, no  FIPS keyword from tomcat.

   

This is Java tomcat config  running in Kubed POD with RHEL8 FIPS mode.

 

{{ if .app.bouncycastle.fips.approved_only | default false }}
JAVA_OPTS="$JAVA_OPTS -Dorg.bouncycastle.fips.approved_only=true"
{{ end }}

 

[apache-tomcat]$ ps -ef|grep java
nobody 6 1 4 08:37 ? 00:09:07 /usr/lib/jvm/jre/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dorg.apache.catalina.security.SecurityListener.UMASK=0007 -Dorg.apache.catalina.connector.RECYCLE_FACADES=false -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true -Dsun.net.inetaddr.ttl=30 -Dcom.sun.management.config.file=/usr/local/apache-tomcat_1/jmxconf/jvmmgmt/management.properties -Dserver.name=cfg1-mjs-67fd7bfc7d-z74dh -Xms5600M -Xmx5600M -XX:MaxPermSize=1024m -Xmn1866M -Dspring.profiles.active=dev -server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=2701 -XX:MaxMetaspaceSize=1200M -Dorg.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR=false -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false -Dsun.net.maxDatagramSockets=100 -Dlog4j2.formatMsgNoLookups=true -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Dspring.config.additional-location=file:/opt/webex/conf/webapps/ -verbose:gc -Xloggc:/opt/apache-tomcat/logs/gc_cfg1-mjs-67fd7bfc7d-z74dh.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=5M -Dfile.encoding=UTF-8 -Djava.util.logging.config.file=/opt/apache-tomcat/conf/logging.properties -Djava.security.manager -Djava.security.policy=/opt/apache-tomcat/conf/catalina.policy -Dignore.endorsed.dirs= -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dorg.apache.catalina.connector.RECYCLE_FACADES=true -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=false -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat/bin/bootstrap.jar:/opt/apache-tomcat/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat -Dcatalina.home=/opt/apache-tomcat -Djava.io.tmpdir=/opt/apache-tomcat/temp org.apache.catalina.startup.Bootstrap start

 

  For keystore details, no detail yet, will check and update then.  From Postgresql database connection logs, not found any client connection error or success during Tomcat failure connection, so it pretty like Tomcat JAVA failed on driver connection try step before reaching database server.

 

Thanks,

 

James

 

 

From: Dave Cramer <davecramer@postgres.rocks>
Sent: Wednesday, June 22, 2022 7:27 PM
To: James Pang (chaolpan) <chaolpan@cisco.com>
Cc: pgsql-jdbc@lists.postgresql.org
Subject: Re: JDBC-Platform error: unsupported key for HMAC algorithm

 

Hello,

 

Can you provide more information?

 

Which keys are you using, etc?

 

TBH I'm not sure if we have issues in FIPS mode, but I would certainly like to find out how to fix this.

 

I need more detailed information however such as how the keys were created and presented to the driver.

 

 

Dave


 

 

On Wed, 22 Jun 2022 at 06:39, James Pang (chaolpan) <chaolpan@cisco.com> wrote:

Hi,

   Postgresql server 13.4 on RHEL8.4 FIPS,    JAVA client use Postgres JDBC driver 42.3.3 to connect to database with TLS/SSL.  Without fips mode, it’s ok to login with TLSv1.2 and default SSL parameters, but when enable fips mode on JAVA client side. It failed in below error:

  at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
at org.postgresql.Driver.makeConnection(Driver.java:400)
at org.postgresql.Driver.connect(Driver.java:259)
... 220 more

 

does Postgres JDBC driver support  JVM FIPS mode to connect to Postgresql database ? from postgresql jdbc driver not able to connect in FIPS mode - Red Hat Customer Portal , that show Postgresql jdbc driver does not support JVM in FIPS mode in RHEL8 .

 

Thanks,

 

James

 


Can you try this without tomcat and using the latest JDBC driver please. 

There are too many variables to be able to replicate this.

Dave