aws-observability/aws-otel-java-instrumentation

Java autoinstrumentation does not support PKIX algorithm

cyc0l4b opened this issue · 2 comments

cyc0l4b commented

Describe the bug
Apparently java auto instrumentation does not support PKIX algorithm used as trusted manager factory when using configuration for fips compliant java application using the config below.

Security.setProperty("ssl.KeyManagerFactory.algorithm","PKIX");
Security.setProperty("ssl.TrustManagerFactory.algorithm","PKIX");
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);

Steps to reproduce
Auto instrument a java application with this configuration

Security.setProperty("ssl.KeyManagerFactory.algorithm","PKIX");
Security.setProperty("ssl.TrustManagerFactory.algorithm","PKIX");
Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);

Overwrite the java options with your certs
-Djavax.net.ssl.trustStore=/etc/templated/cacerts.bcfks
-Djavax.net.ssl.trustStorePassword=changeit

What did you expect to see?
Auto instrumentation working successfully.

What did you see instead?
We got the error below

[otel.javaagent 2024-04-01 18:21:57:418 +0000] [main] INFO io.opentelemetry.javaagent.tooling.VersionLogger - opentelemetry-javaagent - version: 1.32.1-aws
OpenTelemetry Javaagent failed to start
java.lang.ExceptionInInitializerError
	at io.opentelemetry.contrib.aws.resource.Ec2ResourceProvider.createResource(Ec2ResourceProvider.java:16)
	at io.opentelemetry.sdk.autoconfigure.ResourceConfiguration.configureResource(ResourceConfiguration.java:106)
	at io.opentelemetry.sdk.autoconfigure.AutoConfiguredOpenTelemetrySdkBuilder.build(AutoConfiguredOpenTelemetrySdkBuilder.java:395)
	at io.opentelemetry.javaagent.tooling.OpenTelemetryInstaller.installOpenTelemetrySdk(OpenTelemetryInstaller.java:34)
	at io.opentelemetry.javaagent.tooling.AgentInstaller.installBytebuddyAgent(AgentInstaller.java:123)
	at io.opentelemetry.javaagent.tooling.AgentInstaller.installBytebuddyAgent(AgentInstaller.java:103)
	at io.opentelemetry.javaagent.tooling.AgentStarterImpl.start(AgentStarterImpl.java:98)
	at io.opentelemetry.javaagent.bootstrap.AgentInitializer$1.run(AgentInitializer.java:53)
	at io.opentelemetry.javaagent.bootstrap.AgentInitializer$1.run(AgentInitializer.java:47)
	at io.opentelemetry.javaagent.bootstrap.AgentInitializer.execute(AgentInitializer.java:64)
	at io.opentelemetry.javaagent.bootstrap.AgentInitializer.initialize(AgentInitializer.java:46)
	at io.opentelemetry.javaagent.OpenTelemetryAgent.startAgent(OpenTelemetryAgent.java:57)
	at io.opentelemetry.javaagent.OpenTelemetryAgent.agentmain(OpenTelemetryAgent.java:49)
	at software.amazon.opentelemetry.javaagent.bootstrap.AwsAgentBootstrap.agentmain(AwsAgentBootstrap.java:28)
	at software.amazon.opentelemetry.javaagent.bootstrap.AwsAgentBootstrap.premain(AwsAgentBootstrap.java:24)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(Unknown Source)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(Unknown Source)
Caused by: java.security.NoSuchAlgorithmException: PKIX TrustManagerFactory not available
	at java.base/sun.security.jca.GetInstance.getInstance(Unknown Source)
	at java.base/javax.net.ssl.TrustManagerFactory.getInstance(Unknown Source)
	at okhttp3.internal.platform.Platform.platformTrustManager(Platform.kt:78)
	at okhttp3.OkHttpClient.<init>(OkHttpClient.kt:237)
	at okhttp3.OkHttpClient$Builder.build(OkHttpClient.kt:1069)
	at io.opentelemetry.contrib.aws.resource.SimpleHttpClient.fetchString(SimpleHttpClient.java:58)
	at io.opentelemetry.contrib.aws.resource.Ec2Resource.fetchString(Ec2Resource.java:151)
	at io.opentelemetry.contrib.aws.resource.Ec2Resource.fetchToken(Ec2Resource.java:128)
	at io.opentelemetry.contrib.aws.resource.Ec2Resource.buildResource(Ec2Resource.java:68)
	at io.opentelemetry.contrib.aws.resource.Ec2Resource.buildResource(Ec2Resource.java:49)
	at io.opentelemetry.contrib.aws.resource.Ec2Resource.<clinit>(Ec2Resource.java:35)
	... 21 more

Additional context
N/A

github-actions commented

This issue is stale because it has been open 90 days with no activity. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled

github-actions commented

This issue was closed because it has been marked as stale for 30 days with no activity.