pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feedFrom: amasson88 (@amasson88) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: [pgjdbc/pgjdbc] issue #4191: Postgres driver temp CA truststore fails in FIPS
Date: Tue, 16 Jun 2026 14:55:59 +0000
Message-ID: <[email protected]> (raw)
**Describe the issue**
In FIPS mode (for example Semeru FIPS 104-3), by default postgres jdbc driver fails to import custom CA because of the temporary "jks" keystore.
**Driver Version?**
42.7.11
**Java Version?**
Eclipse OpenJ9 VM 21.0.11.0 (Semeru)
**OS Version?**
MacOS / Linux
**PostgreSQL Version?**
17.10
**To Reproduce**
Connect to a postgres DB with custom CA, using Semeru FIPS mode
```
java -Dsemeru.fips=true \
-Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3 \
....
```
pass a custom CA with `sslrootcert` param
**Expected behaviour**
Connection to DB works like in non-FIPS,
some other way to handle the custom CA import could be used?
**Logs**
```
java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.sql.SQLException: Could not find a java cryptographic algorithm: jks KeyStore not available. DSRA0010E: SQL State = 08006, Error Code = 0
at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:215)
at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:37)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:711)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:280)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:365)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:52)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:290)
at org.postgresql.Driver.makeConnection(Driver.java:448)
at org.postgresql.Driver.connect(Driver.java:298)
at ...
Caused by: java.security.NoSuchAlgorithmException: jks KeyStore not available
at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:161)
... 149 more
```
https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/ssl/LibPQFactory.ja...
```java
KeyStore ks;
try {
ks = KeyStore.getInstance("jks");
} catch (KeyStoreException e) {
// this should never happen
throw new NoSuchAlgorithmException("jks KeyStore not available");
}
```
Workaround: allow jks usage for this specific case in FIPS profile, since it's only in memory truststore
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: github://pgjdbc/pgjdbc
Cc: [email protected], [email protected]
Subject: Re: [pgjdbc/pgjdbc] issue #4191: Postgres driver temp CA truststore fails in FIPS
In-Reply-To: <<[email protected]>>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox