CWP security.fips.enabled and load New Relic cause gateway throws Could not generate XDH keypair error
search cancel

CWP security.fips.enabled and load New Relic cause gateway throws Could not generate XDH keypair error


Article ID: 257470


Updated On:


CA API Gateway


We had an issue where CWP security.fips.enabled=true blocked connections using TLS to our MySQL database.  We got past that by adding the following system property:

jdk.tls.namedGroups=ecp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192

We also use New Relic, a 3rd party jar that provides system monitoring for us.  This jar gets loaded by a script in /opt/SecureSpan/Gateway/runtime/etc/profile.d/ :

if [ ! -e "/opt/cms/newrelic-java/newrelic.jar" ] ; then
    echo "Newrelic java agent not found. Starting system within New Relic Java Agent."
    if [ ! -e "/opt/cms/apps/cmdb/api_gateway/newrelic.yml" ]; then
        echo "No configuration file for newrelic java agent."
        export NODE_OPTS="${NODE_OPTS} -javaagent:/opt/cms/newrelic-java/newrelic.jar -Dnewrelic.config.file=/opt/cms/apps/cmdb/api_gateway/newrelic.yml"


When security.fips.enabled=false, New Relic loads and works fine.  When security.fips.enabled=true, it also fails to connect to the New Relic system with the similar "Could not generate XDH keypair:

2023-01-04T10:29:53,236-0500 [2437 128] com.newrelic INFO: Remote preconnect call failed : Could not generate XDH keypair.
2023-01-04T10:29:53,236-0500 [2437 128] com.newrelic.agent.rpm.RPMConnectionServiceImpl INFO: Failed to connect to for #########: Could not generate XDH keypair


New Relic support requested we add the following EC Groups to the same system property:

x25519 and x448

jdk.tls.namedGroups="x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192"

This did not help, and we still see blocked connections to MySQL when we load the New Relic jar:

2023-01-04T10:30:44.532-0500 WARN    182 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: SQL Error: 0, SQLState: null
2023-01-04T10:30:44.535-0500 ERROR   182 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: Connections could not be acquired from the underlying database!



Release : 10.1


Can not add x25519, x448 in jdk.tls.namedGroups.  The CCJ library included in Gateway version 10.1 CR2 does not fully support curve25519 and curve448 algorithms. These algorithms will therefore not be available for TLS connections when FIPS is enabled.


Added x25519 and x448 in jdk.disabled.namedCurves list, it resolved the issue.