I'm enabling SSL in an micronaut application and specifically I need to use BouncyCastle BCFKS type keystore. But the application doesn't run with the config provided.
ssl:
enabled: true
key-store:
path: file:usersDataKeyStore.keystore
password: 123456
type: BCFKS
provider: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
The error I get is
18:02:19.187 [default-nioEventLoopGroup-1-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x68615a0a]
io.micronaut.http.ssl.SslConfigurationException: An error occurred configuring SSL
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:111)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:98)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:92)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.build(CertificateProvidedSslBuilder.java:85)
at io.micronaut.http.server.netty.HttpPipelineBuilder.<init>(HttpPipelineBuilder.java:117)
at io.micronaut.http.server.netty.NettyHttpServer.createPipelineBuilder(NettyHttpServer.java:723)
at io.micronaut.http.server.netty.NettyHttpServer.access$100(NettyHttpServer.java:109)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.refresh(NettyHttpServer.java:762)
at io.micronaut.http.server.netty.NettyHttpServer$Listener.setServerChannel(NettyHttpServer.java:771)
at io.micronaut.http.server.netty.NettyHttpServer$1.initChannel(NettyHttpServer.java:501)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:223)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:381)
at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:370)
at io.netty.bootstrap.ServerBootstrap$1.initChannel(ServerBootstrap.java:148)
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129)
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46)
at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463)
at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115)
at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650)
at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514)
at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429)
at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486)
at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.KeyStoreException: BCFKS not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at io.micronaut.http.ssl.SslBuilder.load(SslBuilder.java:142)
at io.micronaut.http.ssl.SslBuilder.getKeyStore(SslBuilder.java:126)
at io.micronaut.http.server.netty.ssl.CertificateProvidedSslBuilder.getKeyStore(CertificateProvidedSslBuilder.java:152)
at io.micronaut.http.ssl.SslBuilder.getKeyManagerFactory(SslBuilder.java:100)
... 36 common frames omitted
Caused by: java.security.NoSuchAlgorithmException: BCFKS KeyStore not available
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.base/java.security.Security.getImpl(Security.java:702)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
... 40 common frames omitted
18:02:19.193 [main] ERROR i.m.h.server.netty.NettyHttpServer - Error starting Micronaut server: null
io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
18:02:19.225 [main] ERROR io.micronaut.runtime.Micronaut - Error starting Micronaut server: Unable to start Micronaut server on *:9090
io.micronaut.http.server.exceptions.ServerStartupException: Unable to start Micronaut server on *:9090
at io.micronaut.http.server.netty.NettyHttpServer.bind(NettyHttpServer.java:541)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:281)
at io.micronaut.http.server.netty.NettyHttpServer.start(NettyHttpServer.java:104)
at io.micronaut.runtime.Micronaut.lambda$start$2(Micronaut.java:81)
at java.base/java.util.Optional.ifPresent(Optional.java:183)
at io.micronaut.runtime.Micronaut.start(Micronaut.java:79)
at io.micronaut.runtime.Micronaut.run(Micronaut.java:323)
at io.micronaut.runtime.Micronaut.run(Micronaut.java:309)
Caused by: io.netty.channel.StacklessClosedChannelException: null
at io.netty.channel.AbstractChannel$AbstractUnsafe.ensureOpen(ChannelPromise)(Unknown Source)
I tried to change the provider into various options, but I'm getting the same error all the time. Need to know if I'm correctly passing on the information like Keystore type and provider. I have seen in various forums that people have been using JKS and PKCS12, but never BCFKS. Any suggestions would be helpful.
Micronaut version : 3.8.7
Open-JDK : 11 (zulu)
Using the below dependencies
implementation("org.bouncycastle:bc-fips:1.0.2.3")
implementation("org.bouncycastle:bcpkix-fips:1.0.7")
implementation("org.bouncycastle:bcpkix-jdk15on:1.47")
From what I can see in the micronaut-core source code, nothing ever refers to the "provider" setting in the SslConfiguration. In particular, SslBuilder.getKeyStore does not refer to it. (I am also not clear on whether the "provider" setting should even be a class name, or instead the name of the provider i.e. "BCFIPS" in this case).
If we assume that you have not registered BouncyCastleFipsProvider in the java.security list of providers, this then explains why KeyStore.getInstance can not find an implementation for "BCFKS".
Registering BouncyCastleFipsProvider in java.security should get things working for you, but I would also suggest raising an issue with micronaut regarding the ignored property.