Keytool is failing in FIPS mode in RHEL 8

Solution Verified - Updated -

Issue

Keytool is failing in FIPS mode, because OpenJDK does not depend on nss package:

/usr/lib/jvm/jre-11-openjdk-11.0.9.11-2.el8_3.x86_64/bin/keytool -v -import -noprompt -trustcacerts -alias cacert -keypass mypass -file ca.pem -keystore .truststore -storepass mypass
keytool error: java.security.ProviderException: Could not initialize NSS
java.security.ProviderException: Could not initialize NSS
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:217)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:251)
        at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:242)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:242)
        at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:222)
        at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
        at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:379)
        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.base/java.security.Security.getImpl(Security.java:717)
        at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:925)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:405)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:398)
Caused by: java.io.FileNotFoundException: /usr/lib64/libnss3.so
        at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:193)
        at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
        ... 17 more

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 8
  • OpenJDK
    • 8u275
    • 11u9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content