search cancel

CWP security.fips.enabled and load New Relic cause gateway throws Could not generate XDH keypair error

book

Article ID: 257470

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We had an issue where CWP security.fips.enabled=true blocked connections using TLS to our MySQL database.  We got past that by adding the following system property:

jdk.tls.namedGroups=ecp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192

We also use New Relic, a 3rd party jar that provides system monitoring for us.  This jar gets loaded by a script in /opt/SecureSpan/Gateway/runtime/etc/profile.d/ :

if [ ! -e "/opt/cms/newrelic-java/newrelic.jar" ] ; then
    echo "Newrelic java agent not found. Starting system within New Relic Java Agent."
else
    if [ ! -e "/opt/cms/apps/cmdb/api_gateway/newrelic.yml" ]; then
        echo "No configuration file for newrelic java agent."
    else
        export NODE_OPTS="${NODE_OPTS} -javaagent:/opt/cms/newrelic-java/newrelic.jar -Dnewrelic.config.file=/opt/cms/apps/cmdb/api_gateway/newrelic.yml"
    fi
fi

 

When security.fips.enabled=false, New Relic loads and works fine.  When security.fips.enabled=true, it also fails to connect to the New Relic system with the similar "Could not generate XDH keypair:

2023-01-04T10:29:53,236-0500 [2437 128] com.newrelic INFO: Remote preconnect call failed : javax.net.ssl.SSLException: Could not generate XDH keypair.
2023-01-04T10:29:53,236-0500 [2437 128] com.newrelic.agent.rpm.RPMConnectionServiceImpl INFO: Failed to connect to gov-collector.newrelic.com:443 for fmedgemgmt_devdo_pz_apigw: javax.net.ssl.SSLException: Could not generate XDH keypair

 

New Relic support requested we add the following EC Groups to the same system property:

x25519 and x448

jdk.tls.namedGroups="x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192"

This did not help, and we still see blocked connections to MySQL when we load the New Relic jar:

2023-01-04T10:30:44.532-0500 WARN    182 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: SQL Error: 0, SQLState: null
2023-01-04T10:30:44.535-0500 ERROR   182 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: Connections could not be acquired from the underlying database!

 

Environment

Release : 10.1

Cause

Can not add x25519, x448 in jdk.tls.namedGroups.  The CCJ library included in Gateway version 10.1 CR2 does not fully support curve25519 and curve448 algorithms. These algorithms will therefore not be available for TLS connections when FIPS is enabled.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/release-notes/new-features-and-enhancements.html

Resolution

Added x25519 and x448 in java.security jdk.disabled.namedCurves list, it resolved the issue.