Red Hat Single Sign-On (RH SSO) fails to start in OpenShift Container Platform (OCP) when using FIPS

Solution Verified - Updated -

Issue

  • We have FIPS enabled on the cluster:

    $ oc get cm <ConfigMap> -n <Project> -o yaml | grep -i "fips"
fips: true

    The following message is displayed on the RH SSO's pod's startup:

    •[0;33mWARN No password defined for JGroups cluster. AUTH protocol will be disabled. Please define JGROUPS_CLUSTER_PASSWORD.•[0m
INFO Configuring JGroups discovery protocol to dns.DNS_PING
INFO Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..

    And then it exits abruptly, switching the status to CrashLoopBackOff.

  • With a fips: true OpenShift cluster the RH SSO images fail to start giving the error:

    Importing keystore /opt/eap/keystores/jgroups-keystore.pk12 to /opt/eap/keystores/jgroups-keystore.jks...
keytool error: java.io.IOException: parseAlgParameters failed: PBE AlgorithmParameters not available

Environment

  • Red Hat Single Sign-On (RH SSO)
    • 7.X
  • OpenShift Container Platform (OCP)
    • 3.11
    • 4.X

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content