RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
От | McDermott, Becky |
---|---|
Тема | RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? |
Дата | |
Msg-id | BY3PR09MB86273DECBC859A583051CD57C8169@BY3PR09MB8627.namprd09.prod.outlook.com обсуждение исходный текст |
Ответ на | Re: Can you install/run postgresql on a FIPS enabled host? (Tom Lane <tgl@sss.pgh.pa.us>) |
Ответы |
Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
(Tom Lane <tgl@sss.pgh.pa.us>)
|
Список | pgsql-general |
So the logs for one of our Java servers that is attempting to connect to postgres is showing: Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate so perhapsthe underlying problem is there? java.sql.SQLException: Connections could not be acquired from the underlying database! at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118) ~[mchange-commons-java-0.2.19.jar:0.2.19] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140) ~[c3p0-0.9.5.5.jar:0.9.5.5] at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72) ~[hibernate-c3p0-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180) ~[hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:35) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:101) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.id.factory.internal.DefaultIdentifierGeneratorFactory.injectServices(DefaultIdentifierGeneratorFactory.java:152) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.injectDependencies(AbstractServiceRegistryImpl.java:286) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:243) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.<init>(InFlightMetadataCollectorImpl.java:176) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:127) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1224) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1255) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79) [javax.persistence-api-2.2.jar:2.2] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30) [frameworks-osd-repository-LATEST.jar:?] at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12) [frameworks-osd-service-LATEST.jar:?] Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from itsprimary factory or source. at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685) ~[c3p0-0.9.5.5.jar:0.9.5.5] ... 23 more Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report thisexception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256 at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.secretKeyFactory(ScramMechanisms.java:151) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:61) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:198) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:165) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:132) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.jre8.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:131) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:678) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.Driver.makeConnection(Driver.java:454) ~[postgresql-42.2.5.jar:42.2.5] at org.postgresql.Driver.connect(Driver.java:256) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1908) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] 2022-03-21 22:40:22,878 INFO org.hibernate.dialect.Dialect [main] HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL95Dialect -----Original Message----- From: Tom Lane <tgl@sss.pgh.pa.us> Sent: Monday, March 21, 2022 4:33 PM To: McDermott, Becky <bmcderm@sandia.gov> Cc: pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? "McDermott, Becky" <bmcderm@sandia.gov> writes: > We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfullyrun postgreql on a FIPS enabled host? We do test that case from time to time, but not regularly. > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the postgresqldatabase. If we run postgresql on a non-FIPS enabled host, everything works fine. It sounds like something thinks that scram-sha-256 encryption is disallowed by FIPS. That may or may not be accurate. Ifit's supposed to be allowed, you'd need to poke a little harder to narrow down where the problem is. (Digging in our commit logs, it looks like version 14.2 has some changes that might make this work better than it did inolder versions; but I can't tell from the log messages whether the issue being fixed was new-in-14 or not.) regards, tom lane
В списке pgsql-general по дате отправления:
Предыдущее
От: Adrian KlaverДата:
Сообщение: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
Следующее
От: "McDermott, Becky"Дата:
Сообщение: RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?