Message-ID: <gh-pgjdbc-pgjdbc-4191@github.com>
From: "amasson88 (@amasson88)" <noreply+amasson88@github.com>
To: "pgjdbc/pgjdbc" <noreply+pgjdbc-pgjdbc@github.com>
Date: Tue, 16 Jun 2026 14:55:59 +0000
Subject: [pgjdbc/pgjdbc] issue #4191: Postgres driver temp CA truststore fails in FIPS
List-Id: <gh-pgjdbc-pgjdbc.github.com>
X-GitHub-Author-Id: 8558430
X-GitHub-Author-Login: amasson88
X-GitHub-Issue: 4191
X-GitHub-Repo: pgjdbc/pgjdbc
X-GitHub-State: closed
X-GitHub-Type: issue
X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/issues/4191
Content-Type: text/plain; charset=utf-8

**Describe the issue**

In FIPS mode (for example Semeru FIPS 104-3), by default postgres jdbc driver fails to import custom CA because of the temporary "jks" keystore.

**Driver Version?** 

42.7.11

**Java Version?**

Eclipse OpenJ9 VM 21.0.11.0  (Semeru)

**OS Version?**

MacOS / Linux

**PostgreSQL Version?**

17.10 

**To Reproduce**

Connect to a postgres DB with custom CA, using Semeru FIPS mode

```
java -Dsemeru.fips=true \
     -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3 \
     ....
```

pass a custom CA with `sslrootcert` param

**Expected behaviour**

Connection to DB works like in non-FIPS,
some other way to handle the custom CA import could be used?

**Logs**

```
java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.sql.SQLException: Could not find a java cryptographic algorithm: jks KeyStore not available. DSRA0010E: SQL State = 08006, Error Code = 0
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:215)
	at org.postgresql.core.SocketFactoryFactory.getSslSocketFactory(SocketFactoryFactory.java:61)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:37)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:711)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:280)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:365)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:52)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:290)
	at org.postgresql.Driver.makeConnection(Driver.java:448)
	at org.postgresql.Driver.connect(Driver.java:298)
	at ...
Caused by: java.security.NoSuchAlgorithmException: jks KeyStore not available
	at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:161)
	... 149 more
```

https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/ssl/LibPQFactory.java#L158

```java
        KeyStore ks;
        try {
          ks = KeyStore.getInstance("jks");
        } catch (KeyStoreException e) {
          // this should never happen
          throw new NoSuchAlgorithmException("jks KeyStore not available");
        }
```

Workaround: allow jks usage for this specific case in FIPS profile, since it's only in memory truststore