Skip to content

[8.19] Ensure BCFKS based cacert truststore is used for cloud ess fips (#127716) #127737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 6, 2025
Merged

[8.19] Ensure BCFKS based cacert truststore is used for cloud ess fips (#127716) #127737

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 26 additions & 14 deletions distribution/docker/src/docker/Dockerfile.ess-fips
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,15 +96,6 @@ COPY fips/resources/fips_java.policy /usr/share/elasticsearch/config/fips_java.p

WORKDIR /usr/share/elasticsearch/config

## Add fips specific JVM options
RUN cat <<EOF > /usr/share/elasticsearch/config/jvm.options.d/fips.options
-Djavax.net.ssl.keyStoreType=BCFKS
-Dorg.bouncycastle.fips.approved_only=true
-Djava.security.properties=config/fips_java.security
-Djava.security.policy=config/fips_java.policy
EOF


################################################################################
# Build stage 2 (the actual Elasticsearch image):
#
Expand Down Expand Up @@ -136,6 +127,10 @@ ENV ELASTIC_CONTAINER=true
WORKDIR /usr/share/elasticsearch

COPY --from=builder --chown=0:0 /usr/share/elasticsearch /usr/share/elasticsearch
COPY --from=builder --chown=0:0 /fips/libs/*.jar /usr/share/elasticsearch/lib/
COPY --from=builder --chown=0:0 /opt /opt

ENV ES_PLUGIN_ARCHIVE_DIR=/opt/plugins/archive
ENV PATH=/usr/share/elasticsearch/bin:\$PATH
ENV SHELL=/bin/bash
COPY ${bin_dir}/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
Expand All @@ -159,6 +154,28 @@ RUN chmod g=u /etc/passwd && \\

RUN ln -sf /etc/ssl/certs/java/cacerts /usr/share/elasticsearch/jdk/lib/security/cacerts

# Convert cacerts (PKCS12) to BCFKS format using POSIX-compatible shell syntax
RUN printf "\\n" | jdk/bin/keytool -importkeystore \
-srckeystore /usr/share/elasticsearch/jdk/lib/security/cacerts \
-srcstoretype PKCS12 \
-destkeystore config/cacerts.bcfks \
-deststorepass passwordcacert \
-deststoretype BCFKS \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath lib/bc-fips-1.0.2.5.jar \
-destprovidername BCFIPS


## Add fips specific JVM options
RUN cat <<EOF > /usr/share/elasticsearch/config/jvm.options.d/fips.options
-Djavax.net.ssl.keyStoreType=BCFKS
-Dorg.bouncycastle.fips.approved_only=true
-Djava.security.properties=config/fips_java.security
-Djava.security.policy=config/fips_java.policy
-Djavax.net.ssl.trustStore=config/cacerts.bcfks
-Djavax.net.ssl.trustStorePassword=passwordcacert
EOF

EXPOSE 9200 9300

LABEL org.label-schema.build-date="${build_date}" \\
Expand Down Expand Up @@ -196,11 +213,6 @@ CMD ["/app/elasticsearch.sh"]

USER 1000:0

COPY --from=builder --chown=0:0 /opt /opt
ENV ES_PLUGIN_ARCHIVE_DIR=/opt/plugins/archive
WORKDIR /usr/share/elasticsearch
COPY --from=builder --chown=0:0 /fips/libs/*.jar /usr/share/elasticsearch/lib/

################################################################################
# End of multi-stage Dockerfile
################################################################################