Usage of Oracle 19c database driver in EAP gives PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE with PKCS11 and FIPS

Solution Verified - Updated -

Issue

  • Oracle 19c is giving the following error when EAP is configured to use SunPKCS11 and FIPS.

    Caused by: java.security.ProviderException: Could not derive key
    at sun.security.pkcs11.P11KeyAgreement.engineGenerateSecret(P11KeyAgreement.java:238)
    at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:586)
    at oracle.net.aso.v.f(Unknown Source)
    at oracle.net.ano.DataIntegrityService.g(Unknown Source)
    at oracle.net.ano.Ano.negotiation(Unknown Source)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:368)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1596)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:588)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:747)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:562)
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
    ... 61 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE
    at sun.security.pkcs11.wrapper.PKCS11.C_GetAttributeValue(Native Method)
    at sun.security.pkcs11.P11KeyAgreement.engineGenerateSecret(P11KeyAgreement.java:218)

Environment

  • Red Hat JBoss Enterprise Application Platform 7
  • PKCS11 security provider using NSS and FIPS
  • Oracle 19c JDBC database driver

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content