Issue
When running CloudBees CI on an operating system that has FIPS mode enabled (for example due to running sudo /sbin/grubby --update-kernel=ALL --args="fips=1"
).
Errors related to FIPS being enabled at the OS level are:
2023-02-23 23:08:15.361+0000 [id=1] INFO c.c.jenkins.ha.KeyStoreGenerator#generateKey: Trying to create keystore file 'jgroups_sym_encrypt.keystore' using algorithm 'AES' size '256' 2023-02-23 23:08:15.375+0000 [id=1] SEVERE c.c.jenkins.ha.HASwitcher#reportFallback: CloudBees CI Client Controller appears to have failed to boot. If this is a problem in the HA feature, you can disable HA by specifying JENKINS_HA=false as environment variable java.security.NoSuchAlgorithmException: JCEKS KeyStore not available at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.base/java.security.Security.getImpl(Security.java:779) at java.base/java.security.KeyStore.getInstance(KeyStore.java:875) Caused: java.security.KeyStoreException: JCEKS not found at java.base/java.security.KeyStore.getInstance(KeyStore.java:878) at com.cloudbees.jenkins.ha.KeyStoreGenerator.generateKey(KeyStoreGenerator.java:75)
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11$FIPSPKCS11.C_CreateObject(PKCS11.java:1958) at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storePkey(P11KeyStore.java:1803)
Workaround
The current versions of CloudBees CI are not FIPS-140 compliant, and changing this flag does not alter that fact. Running CloudBees CI on a FIPS-enabled host is known to cause issues; therefore, it is recommended to not run the host in FIPS mode. For more details, please reach out to your DevOps Consultant or Sales Representative. |
To disable FIPS at the JVM level (which does not make CloudBees CI FIPS compliant), add the following Java arguments:
-Dcom.redhat.fips=false -Djava.security.disableSystemPropertiesFile=true
For help adding Java arguments, refer to How to add Java arguments to Jenkins?