Startup fails when on a FIPS enabled Operating System

1 minute readKnowledge base

Issue

When running CloudBees CI on an operating system that has FIPS mode enabled (for example due to running sudo /sbin/grubby --update-kernel=ALL --args="fips=1").

Errors related to FIPS being enabled at the OS level are:

2023-02-23 23:08:15.361+0000 [id=1]     INFO    c.c.jenkins.ha.KeyStoreGenerator#generateKey: Trying to create keystore file 'jgroups_sym_encrypt.keystore' using algorithm 'AES' size '256'
2023-02-23 23:08:15.375+0000 [id=1]     SEVERE  c.c.jenkins.ha.HASwitcher#reportFallback: CloudBees CI Client Controller appears to have failed to boot. If this is a problem in the HA feature, you can disable HA by specifying JENKINS_HA=false as environment variable
java.security.NoSuchAlgorithmException: JCEKS KeyStore not available
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.base/java.security.Security.getImpl(Security.java:779)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
Caused: java.security.KeyStoreException: JCEKS not found
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
        at com.cloudbees.jenkins.ha.KeyStoreGenerator.generateKey(KeyStoreGenerator.java:75)
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$FIPSPKCS11.C_CreateObject(PKCS11.java:1958)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1803)

Resolution

When SHA1 is disabled by crypto policies it does not allow various features to work.

Workaround

The current versions of CloudBees CI are not FIPS-140 compliant, and changing this flag does not alter that fact. Running CloudBees CI on a FIPS-enabled host is known to cause issues; therefore, it is recommended to not run the host in FIPS mode.

For more details, please reach out to your DevOps Consultant or Sales Representative.

To disable FIPS at the JVM level (which does not make CloudBees CI FIPS compliant), add the following Java arguments:

-Dcom.redhat.fips=false -Djava.security.disableSystemPropertiesFile=true

For help adding Java arguments, refer to How to add Java arguments to Jenkins?