Re: [EXTERNAL] Re: Java client connection problem on FIPS enabled hosts (with password_encryption = scram-sha-256)

---------- Forwarded message ---------
From: McDermott, Becky <bmcderm(at)sandia(dot)gov>
Date: Mon, 28 Mar 2022 at 10:07
Subject: RE: [EXTERNAL] Re: Java client connection problem on FIPS enabled
hosts (with password_encryption = scram-sha-256)
To: Dave Cramer <davecramer(at)postgres(dot)rocks>
Cc: Sehrope Sarkuni <sehrope(at)jackdb(dot)com>, Michael Paquier <
michael(at)paquier(dot)xyz>, pgsql-jdbc(at)lists(dot)postgresql(dot)org <
pgsql-jdbc(at)lists(dot)postgresql(dot)org>

>> *From:* Dave Cramer <davecramer(at)postgres(dot)rocks>
>> *Sent:* Friday, March 25, 2022 7:17 AM
>>

>> I just tried this on openjdk 11.0.1 on macos and it works fine. It may
be a specific problem with the openjdk built by the vendor you are using (I
presume redhat?)

Thank you so much for letting me know that openjdk worked for you. We are
building our base Java Docker image (that our Java services and my simple
example runs in) from Iron Bank Redhat Universal Base Image (UBI) 8 and
then installing Java into the image:

# java

ARG JAVA_MAJOR_VERSION=11

ARG JAVA_VERSION=1:11.0.14.0.9-2.el8*

ENV JAVA_HOME /usr/lib/jvm/java-${JAVA_MAJOR_VERSION}-openjdk

dnf install
java-${JAVA_MAJOR_VERSION}-openjdk-devel-${JAVA_VERSION}

I will work with someone on my team that understands the base images
better. It is my understanding that we are building our own base Java
image from Redhat UBI 8. Maybe there is something more we need to do to
make sure the crypto libraries get installed?

Honestly I don't know. What I would do is try this on a redhat machine (not
in a docker container) to start with. If that fails then you have somewhere
to start.

Dave