I've read through several topics related to this issue but none so far have helped.
We're running RHEL9 with OpenJDK 11.0.22 and OpenSSL 3.0.7, with FIPS mode enabled (disabling FIPS is not an option). We have an SSL cert, private key, and intermediate/root certs which I'm attempting to use as a keystore for our Java apps. I can combine them into a PKCS12 file, which works fine, but that's where the problems begin -
Java can't read the PKCS12 file because OpenSSL is using FIPS-compliant PBES2 ciphers -
java.io.IOException: parseAlgParameters failed: PBES2 AlgorithmParameters not available
Many threads on this issue.
Converting the PKCS12 file into a JKS file fails for the same reason - keytool has trouble with the PBES2 ciphers. Running OpenSSL with the legacy provider to generate the PKCS12 file doesn't work as the legacy provider is blocked by FIPS.
According to the java.security file on the server in question, PBES2 ciphers are available and are the defaults (i.e. PBEWithHmacSHA256AndAES_256 and HmacPBESHA256). According to the documentation I've found, OpenJDK 11.0.22 should support PBES2.
Why is our OpenJDK install struggling with this when everything seems to imply that PBES2 support should exist?
Thanks for any insight.