Fix Server Startup issues in FIPS compliant mode due to not having Bouncy Castle jars

[UdeshAthukorala]

Purpose

• Fix Server Startup issues in FIPS compliant mode due to not having Bouncy Castle jars

• Related Issue: Server start fails when FIPS mode is enabled product-is#27333

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 8ad5a36d-f06f-432c-8118-e2522e0fa2e4

📥 Commits

Reviewing files that changed from the base of the PR and between 1f32046 and b3d932b.

📒 Files selected for processing (1)

• parent/pom.xml

🚧 Files skipped from review as they are similar to previous changes (1)

• parent/pom.xml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Downgraded several internal platform component versions to improve compatibility and stability.
  • Broadened support for the BouncyCastle cryptography library.
  • Made BouncyCastle package imports optional to increase deployment flexibility and reduce integration issues.

Walkthrough

The pull request downgrades 23 Equinox P2 component version properties in parent/pom.xml and adds resolution:=optional to the OSGi Import-Package entry for org.bouncycastle.* in core/org.wso2.carbon.core/pom.xml.

Changes

Cohort / File(s)	Summary
BouncyCastle Import Configuration core/org.wso2.carbon.core/pom.xml	Added resolution:=optional to the OSGi Import-Package directive for org.bouncycastle.* (kept existing version property).
Equinox P2 Version Properties parent/pom.xml	Downgraded 23 Equinox P2-related version properties (e.g., version.equinox.p2.artifact.repository, version.equinox.p2.core, version.equinox.p2.director, version.equinox.p2.engine, version.equinox.p2.metadata, version.equinox.p2.repository, version.equinox.p2.publisher, version.equinox.p2.transport.*, and others).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides only the Purpose and related issue link, leaving all other required template sections as unfilled placeholders, including Goals, Approach, and critical security checks.	Complete the PR description by filling in Goals, Approach (explaining the version downgrades and OSGi change), security checks confirmations, test environment details, and other relevant template sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the main change: fixing server startup issues in FIPS compliant mode related to missing Bouncy Castle jars, which aligns with the actual modifications to pom.xml files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/24026562857

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/org.wso2.carbon.core/pom.xml`:
- Around line 261-263: The pom import entries for Bouncy Castle are
inconsistent: locate every occurrence of the package import pattern
"org.bouncycastle.*" (and any bouncycastle wildcard entries like
"org.bouncycastle.jcajce.*") across the startup bundles' pom.xml files and
append ;resolution:=optional to each import entry so they match the fixed line
(e.g. change "org.bouncycastle.*; version=\"...\"" to include
";resolution:=optional"); ensure all startup bundle import lists (including the
ones reported around the other bundles) are updated consistently so no mandatory
BC imports remain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4ced35c2-6e9c-42a0-82c7-088c7b29e74f

📥 Commits

Reviewing files that changed from the base of the PR and between 2f0962d and 1f32046.

📒 Files selected for processing (2)

• core/org.wso2.carbon.core/pom.xml
• parent/pom.xml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find remaining mandatory Bouncy Castle Import-Package entries.
fd -a pom.xml -x rg -nP -C2 'org\.bouncycastle(?:\.jcajce)?\.\*; version="\$\{imp\.pkg\.version\.bcp\}"(?!;\s*resolution:=optional)' {}

Repository: wso2/carbon-kernel

Length of output: 899

---

🏁 Script executed:

fd -a pom.xml -x rg -nP -C2 'org\.bouncycastle(?:\.jcajce)?\.\*; version="\$\{imp\.pkg\.version\.bcp\}"(?!;\s*resolution:=optional)' {}

Repository: wso2/carbon-kernel

Length of output: 899

---

Add resolution:=optional to remaining mandatory Bouncy Castle imports across all startup bundles.

The fix applied to line 262 of this file is incomplete. Mandatory org.bouncycastle.* imports without resolution:=optional remain in other bundles (lines 300 and 125 detected). Without propagating this fix, a runtime omitting classic BC bundles will still encounter OSGi wiring failures during startup.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/org.wso2.carbon.core/pom.xml` around lines 261 - 263, The pom import
entries for Bouncy Castle are inconsistent: locate every occurrence of the
package import pattern "org.bouncycastle.*" (and any bouncycastle wildcard
entries like "org.bouncycastle.jcajce.*") across the startup bundles' pom.xml
files and append ;resolution:=optional to each import entry so they match the
fixed line (e.g. change "org.bouncycastle.*; version=\"...\"" to include
";resolution:=optional"); ensure all startup bundle import lists (including the
ones reported around the other bundles) are updated consistently so no mandatory
BC imports remain.

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/24026562857
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/24026562857

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/24028159865

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/24028159865
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/24028159865

[UdeshAthukorala]

Executed Integration Tests Against Java25 as well and following are the results.

Manually run the action rekated flows which was failed during the test and those flows are working without any issue.