Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)

Поиск
Список
Период
Сортировка
От McDermott, Becky
Тема Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)
Дата
Msg-id BY3PR09MB862794CBC601C194B6332FB7C8179@BY3PR09MB8627.namprd09.prod.outlook.com
обсуждение исходный текст
Ответы Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)  ("McDermott, Becky" <bmcderm@sandia.gov>)
Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)  (Michael Paquier <michael@paquier.xyz>)
Список pgsql-jdbc
Дерево обсуждения

We have a requirement to run all of our applications on FIPS enabled hosts.

 

We currently run postgres in a  container that is executing on a FIPS enabled host with the setting:  password_encryption = scram-sha-256

 

I am able to connect from one container to the postgres container/service using psql commands.  However, none of our Java clients can connect to the postgresql database.  If we run postgresql on a non-FIPS enabled host, everything works fine.

 

Our postgres/jdbc versions are 12.7/42.2.5

 

The java stack trace is:

Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256".  We are also using Hibernate so perhaps the underlying problem is there?

 

java.sql.SQLException: Connections could not be acquired from the underlying database!

        at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118) ~[mchange-commons-java-0.2.19.jar:0.2.19]

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72) ~[hibernate-c3p0-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180) ~[hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:35) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:101) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.id.factory.internal.DefaultIdentifierGeneratorFactory.injectServices(DefaultIdentifierGeneratorFactory.java:152) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.injectDependencies(AbstractServiceRegistryImpl.java:286) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:243) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.<init>(InFlightMetadataCollectorImpl.java:176) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:127) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1224) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1255) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56) [hibernate-core-5.4.30.Final.jar:5.4.30.Final]

        at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79) [javax.persistence-api-2.2.jar:2.2]

        at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73) [frameworks-osd-daos-LATEST.jar:?]

        at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52) [frameworks-osd-daos-LATEST.jar:?]

        at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30) [frameworks-osd-repository-LATEST.jar:?]

        at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12) [frameworks-osd-service-LATEST.jar:?]

Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from its primary factory or source.

        at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        ... 23 more

Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.

        at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5]

        at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19]

Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256

        at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.secretKeyFactory(ScramMechanisms.java:151) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.saltedPassword(ScramFunctions.java:61) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:198) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:165) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:132) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.jre8.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:131) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:678) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.Driver.makeConnection(Driver.java:454) ~[postgresql-42.2.5.jar:42.2.5]

        at org.postgresql.Driver.connect(Driver.java:256) ~[postgresql-42.2.5.jar:42.2.5]

        at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1908) ~[c3p0-0.9.5.5.jar:0.9.5.5]

        at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19]

2022-03-21 22:40:22,878 INFO org.hibernate.dialect.Dialect [main] HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL95Dialect

 

I tried upgrading the jdbc driver to 42.2.24 and I’m getting a different error:

Notice the last Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm

 

2022-03-22 15:40:10,660 ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper [main] Connections could not be acquired from the underlying database!

Exception in thread "main" java.lang.IllegalArgumentException: Could not create persistence unit gms

        at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:75)

        at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52)

        at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30)

        at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12)

Caused by: javax.persistence.PersistenceException: [PersistenceUnit: gms] Unable to build Hibernate SessionFactory

        at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.persistenceException(EntityManagerFactoryBuilderImpl.java:1336)

        at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1262)

        at org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56)

        at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79)

        at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73)

        ... 3 more

Caused by: org.hibernate.exception.GenericJDBCException: Unable to open JDBC Connection for DDL execution

        at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)

        at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113)

        at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:99)

        at org.hibernate.resource.transaction.backend.jdbc.internal.DdlTransactionIsolatorNonJtaImpl.getIsolatedConnection(DdlTransactionIsolatorNonJtaImpl.java:69)

        at org.hibernate.tool.schema.internal.exec.ImprovedExtractionContextImpl.getJdbcConnection(ImprovedExtractionContextImpl.java:60)

        at org.hibernate.tool.schema.extract.internal.SequenceInformationExtractorLegacyImpl.extractMetadata(SequenceInformationExtractorLegacyImpl.java:40)

        at org.hibernate.tool.schema.extract.internal.DatabaseInformationImpl.initializeSequences(DatabaseInformationImpl.java:65)

        at org.hibernate.tool.schema.extract.internal.DatabaseInformationImpl.<init>(DatabaseInformationImpl.java:59)

        at org.hibernate.tool.schema.internal.Helper.buildDatabaseInformation(Helper.java:155)

        at org.hibernate.tool.schema.internal.AbstractSchemaValidator.doValidation(AbstractSchemaValidator.java:61)

        at org.hibernate.tool.schema.spi.SchemaManagementToolCoordinator.performDatabaseAction(SchemaManagementToolCoordinator.java:192)

        at org.hibernate.tool.schema.spi.SchemaManagementToolCoordinator.process(SchemaManagementToolCoordinator.java:73)

        at org.hibernate.internal.SessionFactoryImpl.<init>(SessionFactoryImpl.java:318)

        at org.hibernate.boot.internal.SessionFactoryBuilderImpl.build(SessionFactoryBuilderImpl.java:468)

        at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1259)

        ... 6 more

Caused by: java.sql.SQLException: Connections could not be acquired from the underlying database!

        at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118)

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692)

        at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140)

        at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72)

        at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180)

        at org.hibernate.resource.transaction.backend.jdbc.internal.DdlTransactionIsolatorNonJtaImpl.getIsolatedConnection(DdlTransactionIsolatorNonJtaImpl.java:43)

        ... 17 more

Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from its primary factory or source.

        at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507)

        at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644)

        at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554)

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758)

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685)

        ... 21 more

Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.

        at org.postgresql.Driver.connect(Driver.java:285)

        at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175)

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220)

        at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206)

        at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203)

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176)

        at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163)

        at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44)

        at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1908)

        at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696)

Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm

        at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)

        at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)

        at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)

        at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)

        at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)

        at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:778)

        at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:161)

        at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:213)

        at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:51)

        at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:225)

        at org.postgresql.Driver.makeConnection(Driver.java:465)

        at org.postgresql.Driver.connect(Driver.java:264)

        ... 9 more

 

We definitely don’t have something correct on the Java side.  Are there any experienced java users out there who can recommend the correct jdbc version and what we need to do on the Java side to support “password_encryption = scram-sha-256” for Postgres?

 

I am not a java develop but am responsible for the platform we run our application on so I can forward any java specifics to our development team(s).

 

Thank you,

 

Becky McDermott

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: Dave Cramer
Дата:
Сообщение: [pgjdbc/pgjdbc] 1f9bba: change name of build cache (#2471)
Следующее
От: "McDermott, Becky"
Дата:
Сообщение: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)