Can only access FIPS security provider when process runs as root
Issue
The following fails when run as non-root user on RHEL 8.9 running in FIPS mode:
keytool --showinfo --tls -v
keytool error: java.security.ProviderException: Could not initialize NSS
java.security.ProviderException: Could not initialize NSS
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:284)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:179)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:153)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:153)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257)
at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248)
at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226)
at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:268)
at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:381)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.base/java.security.Security.getImpl(Security.java:749)
at java.base/java.security.KeyStore.getInstance(KeyStore.java:868)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:969)
at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
Caused by: java.io.IOException: NSS initialization failed
Environment
- Red Hat Enterprise Linux (RHEL) 8+
- Red Hat build of OpenJDK
- FIPS mode
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
