From 5836dd3b39ff5cdde7a5fe74b77928456b1aaf1c Mon Sep 17 00:00:00 2001
From: Rene Groeschke <rene@elastic.co>
Date: Fri, 13 Jun 2025 17:01:11 +0200
Subject: [PATCH] [Fips] Explicitly set trustStoreType to BCFKS in FIPS docker
 image (#129385)

We see an certificate issue when using fips docker image creating searchable snapshots in aws
and gcs. This is likely related to a configuration issue not explicitly setting the trust store
type for our bcfks cacerts
---
 .../docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile b/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
index 66bc9198d68d..75acc7f59c7a 100644
--- a/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
+++ b/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
@@ -172,8 +172,10 @@ RUN cat <<EOF > /usr/share/elasticsearch/config/jvm.options.d/fips.options
 -Dorg.bouncycastle.fips.approved_only=true
 -Djava.security.properties=config/fips_java.security
 -Djava.security.policy=config/fips_java.policy
+-Djavax.net.ssl.trustStoreType=BCFKS
 -Djavax.net.ssl.trustStore=config/cacerts.bcfks
 -Djavax.net.ssl.trustStorePassword=passwordcacert
+
 EOF
 
 EXPOSE 9200 9300