Connector NoSuchMethodError: org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode()Z

Question

I am running Confluent Platform version 7.1.0 and my Kafka Connector requires bouncy castle fips library to be present in plugin path so that it can decrypt the encrypted private key.

The BouncyCastleFipsProvider is needed at runtime to generate a PrivateKey from encryptedPrivateKey

I get below error

Caused by: java.lang.NoSuchMethodError: org.bouncycastle.crypto.CryptoServicesRegistrar.isInApprovedOnlyMode()Z
        at org.bouncycastle.jcajce.provider.ProvSecureHash$MD5.configure(Unknown Source)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.<init>(Unknown Source)
        at com.snowflake.kafka.connector.internal.EncryptionUtils.parseEncryptedPrivateKey(EncryptionUtils.java:30)

Although, this works fine for confluent 5.5.0 but somehow doesn't work with confluent 6.2.0 or 7.1.0

I have made sure the fips library is present in /usr/local/share/kafka/plugins as well as

ls confluent-7.1.0/share/java/kafka/ | grep fips
bc-fips-1.0.2.1.jar
bcpkix-fips-1.0.3.jar

I fail to understand the what could be the root cause. When Kafka Connect starts, I see it is loading both the jars from plugin path. I found this answer but doesnt apply in this case. The function is present in bc-fips bc-fips-1.0.2.1.jar

Answer 1

The FIPS library is not a "Connect plugin", so despite it "seeing" the JAR, nothing will "load" from it.

You'll need to explicitly set CLASSPATH=confluent-7.1.0/share/java/kafka/*.jar environment variable for the JVM to load all the classes from those JARs.

You will also want to use jar tf to actually check content of those JARs for the class in the error.