Can you install/run postgresql on a FIPS enabled host?
We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfully run postgreql on a FIPS enabled host? We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host, everything works fine. I'm having a hard time finding any FIPS guidance for postgresql from googling. If anyone has any guidance or has gotten this to work, that would be most helpful. Thank you, Becky McDermott
Re: Can you install/run postgresql on a FIPS enabled host?
On 3/21/22 15:15, McDermott, Becky wrote: We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfully run postgreql on a FIPS enabled host? We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? I’m having a hard time finding any FIPS guidance for postgresql from googling. If anyone has any guidance or has gotten this to work, that would be most helpful. Thank you, *Becky McDermott* -- Adrian Klaver adrian.kla...@aklaver.com
Re: Can you install/run postgresql on a FIPS enabled host?
"McDermott, Becky" writes: > We have a requirement to run all of our applications on FIPS enabled hosts. > Is it possible to install and successfully run postgreql on a FIPS enabled > host? We do test that case from time to time, but not regularly. > We currently run postgres ina container that is executing on a FIPS enabled > host with the setting: password_encryption = scram-sha-256 > And none of our Java clients can connect to the postgresql database. If we > run postgresql on a non-FIPS enabled host, everything works fine. It sounds like something thinks that scram-sha-256 encryption is disallowed by FIPS. That may or may not be accurate. If it's supposed to be allowed, you'd need to poke a little harder to narrow down where the problem is. (Digging in our commit logs, it looks like version 14.2 has some changes that might make this work better than it did in older versions; but I can't tell from the log messages whether the issue being fixed was new-in-14 or not.) regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
Version 12.7 -Original Message- From: Adrian Klaver Sent: Monday, March 21, 2022 4:25 PM To: McDermott, Becky ; pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:15, McDermott, Becky wrote: > We have a requirement to run all of our applications on FIPS enabled > hosts. Is it possible to install and successfully run postgreql on a > FIPS enabled host? > > We currently run postgres ina container that is executing on a FIPS > enabled host with the setting: password_encryption = scram-sha-256 > > And none of our Java clients can connect to the postgresql database. > If we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? > > I’m having a hard time finding any FIPS guidance for postgresql from > googling. If anyone has any guidance or has gotten this to work, that > would be most helpful. > > Thank you, > > *Becky McDermott* > -- Adrian Klaver adrian.kla...@aklaver.com
Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
On 3/21/22 15:43, McDermott, Becky wrote: Version 12.7 And the JDBC version? -Original Message- From: Adrian Klaver Sent: Monday, March 21, 2022 4:25 PM To: McDermott, Becky ; pgsql-general@lists.postgresql.org Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:15, McDermott, Becky wrote: We have a requirement to run all of our applications on FIPS enabled hosts. Is it possible to install and successfully run postgreql on a FIPS enabled host? We currently run postgres ina container that is executing on a FIPS enabled host with the setting: password_encryption = scram-sha-256 And none of our Java clients can connect to the postgresql database. If we run postgresql on a non-FIPS enabled host, everything works fine. Postgres version? JDBC version? I’m having a hard time finding any FIPS guidance for postgresql from googling. If anyone has any guidance or has gotten this to work, that would be most helpful. Thank you, *Becky McDermott* -- Adrian Klaver adrian.kla...@aklaver.com -- Adrian Klaver adrian.kla...@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
So the logs for one of our Java servers that is attempting to connect to postgres is showing: Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for SCRAM-SHA-256". We are also using Hibernate so perhaps the underlying problem is there? java.sql.SQLException: Connections could not be acquired from the underlying database! at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118) ~[mchange-commons-java-0.2.19.jar:0.2.19] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:692) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140) ~[c3p0-0.9.5.5.jar:0.9.5.5] at org.hibernate.c3p0.internal.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:72) ~[hibernate-c3p0-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:180) ~[hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:68) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:35) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:101) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:263) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.id.factory.internal.DefaultIdentifierGeneratorFactory.injectServices(DefaultIdentifierGeneratorFactory.java:152) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.injectDependencies(AbstractServiceRegistryImpl.java:286) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:243) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:214) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.(InFlightMetadataCollectorImpl.java:176) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:127) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1224) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1255) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:56) [hibernate-core-5.4.30.Final.jar:5.4.30.Final] at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:79) [javax.persistence-api-2.2.jar:2.2] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:73) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.dao.util.CoiEntityManagerFactory.create(CoiEntityManagerFactory.java:52) [frameworks-osd-daos-LATEST.jar:?] at gms.shared.frameworks.osd.repository.OsdRepositoryFactory.createOsdRepository(OsdRepositoryFactory.java:30) [frameworks-osd-repository-LATEST.jar:?] at gms.shared.frameworks.osd.service.OsdServiceApplication.main(OsdServiceApplication.java:12) [frameworks-osd-service-LATEST.jar:?] Caused by: com.mchange.v2.resourcepool.CannotAcquireResourceException: A ResourcePool could not acquire a resource from its primary factory or source. at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1507) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554) ~[c3p0-0.9.5.5.jar:0
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
I will have to find out the JDBC version. None of the containers will start (because of the database connection error) so I have to track down that version with one of our developers (I am on the platform team so not so well versed in the actual code). Will get back with that version. -Original Message- From: Adrian Klaver Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky ; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -Original Message- > From: Adrian Klaver > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky ; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.kla...@aklaver.com -- Adrian Klaver adrian.kla...@aklaver.com
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
It looks like jdbc-1.15.2.jar -Original Message- From: Adrian Klaver Sent: Monday, March 21, 2022 4:46 PM To: McDermott, Becky ; pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 15:43, McDermott, Becky wrote: > Version 12.7 And the JDBC version? > > -Original Message- > From: Adrian Klaver > Sent: Monday, March 21, 2022 4:25 PM > To: McDermott, Becky ; > pgsql-general@lists.postgresql.org > Subject: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? > > On 3/21/22 15:15, McDermott, Becky wrote: >> We have a requirement to run all of our applications on FIPS enabled >> hosts. Is it possible to install and successfully run postgreql on a >> FIPS enabled host? >> >> We currently run postgres ina container that is executing on a FIPS >> enabled host with the setting: password_encryption = scram-sha-256 >> >> And none of our Java clients can connect to the postgresql database. >> If we run postgresql on a non-FIPS enabled host, everything works fine. > > Postgres version? > > JDBC version? > >> >> I’m having a hard time finding any FIPS guidance for postgresql from >> googling. If anyone has any guidance or has gotten this to work, >> that would be most helpful. >> >> Thank you, >> >> *Becky McDermott* >> > > > -- > Adrian Klaver > adrian.kla...@aklaver.com -- Adrian Klaver adrian.kla...@aklaver.com
Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
On 3/21/22 16:55, McDermott, Becky wrote: It looks like jdbc-1.15.2.jar Named in the stack trace: postgresql-42.2.5.jar
Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
"McDermott, Becky" writes: > So the logs for one of our Java servers that is attempting to connect to > postgres is showing: > Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for > SCRAM-SHA-256". We are also using Hibernate so perhaps the underlying > problem is there? This definitely looks like the problem is on the client side not the server side. It might be worth asking on pgsql-jdbc to see if it's that driver or not; but it could be coming from somewhere else in the Java ecosystem. regards, tom lane
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simple way with a username/password. If this works, then the database is fine and it would definitely point to a java issue. Thanks! -Original Message- From: Tom Lane Sent: Monday, March 21, 2022 4:59 PM To: McDermott, Becky Cc: pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? "McDermott, Becky" writes: > So the logs for one of our Java servers that is attempting to connect to > postgres is showing: > Notice that the last "Caused by" is showing the "Unsupported PBKDF2 for > SCRAM-SHA-256". We are also using Hibernate so perhaps the underlying > problem is there? This definitely looks like the problem is on the client side not the server side. It might be worth asking on pgsql-jdbc to see if it's that driver or not; but it could be coming from somewhere else in the Java ecosystem. regards, tom lane
Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
On 3/21/22 17:02, McDermott, Becky wrote: Thank you. I should deploying a very simple container that has psql installed and make sure I can connect in a simple way with a username/password. If this works, then the database is fine and it would definitely point to a java issue. Thanks! I liked your original theory: That stack trace message is rather adamant. Is there any indication that PBKDF2 and SCRAM-SHA-256 should play nice? Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
RE: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host?
I am a bit out of my element. I don't even know where PDKDF2 is coming from. I just confirmed that I can connect from one pod with psql installed to the postgres pod with a straight up "psql -h posgtgresql-gms -p 5432 -d mydb -U gms_read_only" and then I can run queries just fine. So there is something on the Java side that is not connecting correctly. Thank you everyone. This was helpful. -Original Message- From: Rob Sargent Sent: Monday, March 21, 2022 5:08 PM To: pgsql-general@lists.postgresql.org Subject: Re: [EXTERNAL] Re: Can you install/run postgresql on a FIPS enabled host? On 3/21/22 17:02, McDermott, Becky wrote: > Thank you. I should deploying a very simple container that has psql > installed and make sure I can connect in a simple way with a > username/password. If this works, then the database is fine and it would > definitely point to a java issue. > > Thanks! I liked your original theory: That stack trace message is rather adamant. Is there any indication that PBKDF2 and SCRAM-SHA-256 should play nice? Caused by: org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception. at org.postgresql.Driver.connect(Driver.java:277) ~[postgresql-42.2.5.jar:42.2.5] at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:175) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:220) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1176) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1163) ~[c3p0-0.9.5.5.jar:0.9.5.5] at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) ~[mchange-commons-java-0.2.19.jar:0.2.19] Caused by: java.lang.RuntimeException: Unsupported PBKDF2 for SCRAM-SHA-256
