Skip to content
This repository has been archived by the owner on Jun 17, 2024. It is now read-only.

DB2 is not working over FIPS #43

Open
pjgg opened this issue Sep 17, 2021 · 5 comments
Open

DB2 is not working over FIPS #43

pjgg opened this issue Sep 17, 2021 · 5 comments

Comments

@pjgg
Copy link

pjgg commented Sep 17, 2021
edited
Loading

I am running an application over FIPS security protocol and I am getting the following error from DB2 when I am trying to connect to the database

Stacktrace:

12:21:05.340 INFO  [app] 12:21:03,833 Datasource 'db2': [jcc][t4][2010][11246][4.29.24] Connection authorization failure occurred.  Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
12:21:05.340 INFO  [app] 12:21:03,843 Failed to start application (with profile prod): com.ibm.db2.jcc.am.SqlInvalidAuthorizationSpecException: [jcc][t4][2010][11246][4.29.24] Connection authorization failure occurred.  Reason: Local security service non-retryable error. ERRORCODE=-4214, SQLSTATE=28000
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.am.b7.a(b7.java:808)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.am.b7.a(b7.java:66)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.am.b7.a(b7.java:133)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.t4.b.f(b.java:2663)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.t4.b.b(b.java:2004)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.t4.z.r(z.java:961)
12:21:05.341 INFO  [app] 	at com.ibm.db2.jcc.t4.z.k(z.java:494)
12:21:05.342 INFO  [app] 	at com.ibm.db2.jcc.t4.z.c(z.java:144)
12:21:05.342 INFO  [app] 	at com.ibm.db2.jcc.t4.b.k(b.java:1513)
12:21:05.342 INFO  [app] 	at com.ibm.db2.jcc.t4.b.b(b.java:1426)
12:21:05.342 INFO  [app] 	at com.ibm.db2.jcc.t4.b.a(b.java:6838)
12:21:05.342 INFO  [app] 	at com.ibm.db2.jcc.t4.b.b(b.java:947)
12:21:05.343 INFO  [app] 	at com.ibm.db2.jcc.t4.b.a(b.java:860)
12:21:05.343 INFO  [app] 	at com.ibm.db2.jcc.t4.b.a(b.java:455)
12:21:05.343 INFO  [app] 	at com.ibm.db2.jcc.t4.b.a(b.java:428)
12:21:05.343 INFO  [app] 	at com.ibm.db2.jcc.t4.b.<init>(b.java:366)
12:21:05.344 INFO  [app] 	at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:243)
12:21:05.344 INFO  [app] 	at com.ibm.db2.jcc.DB2SimpleDataSource.getConnection(DB2SimpleDataSource.java:200)
12:21:05.344 INFO  [app] 	at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:491)
12:21:05.344 INFO  [app] 	at com.ibm.db2.jcc.DB2Driver.connect(DB2Driver.java:117)
12:21:05.344 INFO  [app] 	at io.agroal.pool.ConnectionFactory.createConnection(ConnectionFactory.java:204)
12:21:05.344 INFO  [app] 	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:470)
12:21:05.345 INFO  [app] 	at io.agroal.pool.ConnectionPool$CreateConnectionTask.call(ConnectionPool.java:452)
12:21:05.345 INFO  [app] 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
12:21:05.345 INFO  [app] 	at io.agroal.pool.util.PriorityScheduledExecutor.beforeExecute(PriorityScheduledExecutor.java:68)
12:21:05.345 INFO  [app] 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1126)
12:21:05.345 INFO  [app] 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

Environment: RHEL8 or fedora workstation 32
JDK11 (OpenJDK)

BD2 was running in a docker container

example:

docker run --name db2 --privileged=true -p 50000:50000 -e LICENSE=accept -e DB2INST1_PASSWORD=test -e DB2INSTANCE=test -e DBNAME=amadeus -e AUTOCONFIG=false -e ARCHIVE_LOGS=false -v /tmp:/database ibmcom/db2

The same app/db2 is running as expected without FIPS
Sgitario added a commit to Sgitario/quarkus-test-suite that referenced this issue Sep 17, 2021
@Sgitario
Tag DB2 Handler IT as incompatible with FIPS
a5b3502 
Reported in IBM/Db2#43
@Sgitario Sgitario mentioned this issue Sep 17, 2021
Merged
Sgitario added a commit to Sgitario/quarkus-test-suite that referenced this issue Sep 17, 2021
@Sgitario
Tag DB2 Handler IT as incompatible with FIPS
70adffb 
Reported in IBM/Db2#43
@Sgitario Sgitario mentioned this issue Sep 17, 2021
Merged
@rsvoboda
Copy link

Pls provide details how FIPs is configured, not many people may know that topic in details.

@pjgg
Copy link
Author

pjgg commented Sep 17, 2021

You can install FIPS running the following script

#!/bin/bash

fips_enabled=$(sysctl crypto.fips_enabled | tr -dc '0-9')

if [ $fips_enabled -eq 0 ]
then
# If the prelink package is installed: disable prelinking
rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink
rpm -q prelink && prelink -uav
# Enable FIPS
fips-mode-setup --enable
echo "The system must be rebooted in order to apply the changes"
else
echo "Fips is already enabled"
fi

Sgitario added a commit to quarkus-qe/quarkus-test-suite that referenced this issue Sep 17, 2021
@Sgitario
Tag DB2 Handler IT as incompatible with FIPS
21e52a3 
Reported in IBM/Db2#43
@pjgg
Copy link
Author

pjgg commented Apr 28, 2022

db2:11.5.7.0 / latest still failing with the same error

Any tips from DB2 in order to handle this issue or how to deal with DB2 Docker container over FIPS ?

@JiriOndrusek
Copy link

Hi @pjgg @rsvoboda
, are there any news in this topic? I can see the same problem with ibmcom/db2:11.5.9.0

@JiriOndrusek JiriOndrusek mentioned this issue Apr 12, 2024
Closed
@rsvoboda
Copy link

@michalvavrik is looking into that, only small progress after several days, we would need somebody from IBM to help here.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rsvoboda @pjgg @JiriOndrusek