Standardization of FIPS Java config with ES #17839
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LS is not configured with -Djava.security.manager enabled. Configuring it does nothing.
See elastic/ingest-dev#5320 for details.
The -BC config was introduced to try to prevent loading non fips BC jars shipped with jruby. This config is harmless (though may not actually fully prevent BC providers from being loaded). This commit simply makes the priority number more consistent.
This commit updates the conversion of JKS to BCFKS for default trust store to match ES. Specifically: 1. Install the java-cacerts package (instead of using defaults shipped with java) 2. Only convert the default trust store (key store is non necessary)
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
This pull request does not have a backport label. Could you fix it @donoghuc? 🙏
|
donoghuc
commented
Jul 17, 2025
| make \ | ||
| # CODEREVIEW: I think make, gcc and glibc-dev are all in build-base package if we want that | ||
| gcc \ | ||
| java-cacerts \ |
There was a problem hiding this comment.
Reviewer note:
When building actual artifacts (not relying on first installing jdk) https://github.com/elastic/logstash/pull/17839/files#diff-9ecee4391e8c9d8f8f79230e3bf688cfe285f2452a70c070b8eb10868ab98cf9R121 we set up an explicit symlink.
In this dockerfile for setting up testing env we dont need to because it is created when java-cacerts is installed:
bash-5.3# apk add --no-cache java-cacerts
fetch https://virtualapk.cgr.dev/6b3f08c31afeab18043305daebd64cf18e682273/sha256:e4c9ae0b40e5ed1cbc9385cc4fef0d20293ce84f1b3e38a4f205fcd0834b8a2e/chainguard/aarch64/APKINDEX.tar.gz
fetch https://virtualapk.cgr.dev/6b3f08c31afeab18043305daebd64cf18e682273/sha256:e4c9ae0b40e5ed1cbc9385cc4fef0d20293ce84f1b3e38a4f205fcd0834b8a2e/extra-packages/aarch64/APKINDEX.tar.gz
OK: 885 MiB in 91 packages
bash-5.3# ls -la $JAVA_HOME/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jul 17 18:49 /usr/lib/jvm/java-21-openjdk/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
💛 Build succeeded, but was flaky
Failed CI Steps
History
|
|
yaauie
approved these changes
Jul 31, 2025
mergify bot
pushed a commit
that referenced
this pull request
Jul 31, 2025
* Remove unused java.policy file LS is not configured with -Djava.security.manager enabled. Configuring it does nothing. * Harmonize entropy source with ES See https://github.com/elastic/ingest-dev/issues/5320 for details. * Make capitalization consistent * Change numbering for provider config The -BC config was introduced to try to prevent loading non fips BC jars shipped with jruby. This config is harmless (though may not actually fully prevent BC providers from being loaded). This commit simply makes the priority number more consistent. * Standardize default trust store conversion with ES This commit updates the conversion of JKS to BCFKS for default trust store to match ES. Specifically: 1. Install the java-cacerts package (instead of using defaults shipped with java) 2. Only convert the default trust store (key store is non necessary) * Actually install java-cacerts * Avoid error linking when dir exists * When java is already installed apk-add java-cacerts already does the symlink (cherry picked from commit 591437c) # Conflicts: # docker/templates/Dockerfile.erb
donoghuc
added a commit
that referenced
this pull request
Jul 31, 2025
…17878) * Standardization of FIPS Java config with ES (#17839) * Remove unused java.policy file LS is not configured with -Djava.security.manager enabled. Configuring it does nothing. * Harmonize entropy source with ES See https://github.com/elastic/ingest-dev/issues/5320 for details. * Make capitalization consistent * Change numbering for provider config The -BC config was introduced to try to prevent loading non fips BC jars shipped with jruby. This config is harmless (though may not actually fully prevent BC providers from being loaded). This commit simply makes the priority number more consistent. * Standardize default trust store conversion with ES This commit updates the conversion of JKS to BCFKS for default trust store to match ES. Specifically: 1. Install the java-cacerts package (instead of using defaults shipped with java) 2. Only convert the default trust store (key store is non necessary) * Actually install java-cacerts * Avoid error linking when dir exists * When java is already installed apk-add java-cacerts already does the symlink (cherry picked from commit 591437c) # Conflicts: # docker/templates/Dockerfile.erb * Fix merge conflict --------- Co-authored-by: Cas Donoghue <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release notes
[rn:skip]
What does this PR do?
This PR implements the outcomes based on the comparison with ES container for FIPS config https://github.com/elastic/ingest-dev/issues/5320