diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index d380f0baa8..23e12f567e 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -37,7 +37,6 @@ import java.security.AccessController; import java.security.MessageDigest; import java.security.PrivilegedAction; -import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -65,7 +64,6 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; -import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.util.encoders.Hex; import org.opensearch.OpenSearchException; @@ -429,8 +427,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca - tryAddSecurityProvider(); - final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); @@ -2460,17 +2456,6 @@ public Optional getSecureSettingFactory(Settings settings ); } - @SuppressWarnings("removal") - private void tryAddSecurityProvider() { - AccessController.doPrivileged((PrivilegedAction) () -> { - if (Security.getProvider("BCFIPS") == null) { - Security.addProvider(new BouncyCastleFipsProvider()); - log.debug("Bouncy Castle FIPS Provider added"); - } - return null; - }); - } - // CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions @Override public void loadExtensions(ExtensionLoader loader) { diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 003f8d7198..89e8003ed1 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -20,6 +20,7 @@ import java.nio.file.Path; import java.security.AccessController; import java.security.PrivilegedAction; +import java.security.Security; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -34,6 +35,7 @@ import com.fasterxml.jackson.databind.InjectableValues; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.opensearch.OpenSearchException; import org.opensearch.SpecialPermission; @@ -256,6 +258,8 @@ public Object run() { log.error("SSL not activated for http and/or transport."); } + tryAddSecurityProvider(); + this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath)); } @@ -772,4 +776,15 @@ protected Settings migrateSettings(Settings settings) { public ThreadPool getThreadPool() { return this.threadPool; } + + @SuppressWarnings("removal") + private void tryAddSecurityProvider() { + AccessController.doPrivileged((PrivilegedAction) () -> { + if (Security.getProvider("BCFIPS") == null) { + Security.addProvider(new BouncyCastleFipsProvider()); + log.debug("Bouncy Castle FIPS Provider added"); + } + return null; + }); + } }