Note: This article applies only to Azul Zulu Builds of OpenJDK. It does not apply to Azul Zulu Prime Builds of OpenJDK which do supply the sha256 digest that FIPS mode requires.
Problem:
If you're installing an Azul Zulu Build of OpenJDK rpm from a repo on a RHEL 8 system with FIPS mode enabled, you may get an error such as:
$ sudo yum install -y https://cdn.azul.com/zulu/bin/zulu-repo-1.0.0-1.noarch.rpm
[...]
package zulu-repo-1.0.0-1.noarch does not verify: no digest
$ sudo yum install zulu17-jre-headless
[...]
package zulu17-ca-jre-headless-17.0.3-1.x86_64 does not verify: no digest
package zulu17-jre-headless-17.0.3-1.x86_64 does not verify: no digest
This happens because the community builds of Azul Zulu Builds of OpenJDK are built with a version of rpm that doesn't provide the sha256 digest that FIPS mode required.
Workaround:
There are a couple of ways to work around this.
1. You can download the Zulu bundle(s) you need, then install them using "--nodigest":
$ sudo rpm -ivh --nodigest zulu17.34.19-ca-jre17.0.3-linux.x86_64.rpm
2. You can temporarily disable the digest check on package installations from repos by adding the line
%_pkgverify_level none
to the file /etc/rpm/macros.dist, then follow the instructions to install from the repo, and then remove the line from /etc/rpm/macros.dist.
Note that in either case, you're working around the FIPS security so this may not be desired or acceptable in your environment, and in either case, you're no longer able to take advantage of the benefits of the repos as future updates will fail unless you use a method to temporarily work around the FIPS security for the package update.
Add Comment
Comments
Please sign in to leave a comment.