RE: [External] RE: Java 9+ and custom JCE/JSSE providers
Hello Cris, The system property can take an URL. java.security.properties=. However, my quick testing suggests the protocol (file:/ ) isn't needed. Also, perhaps worth reading the effects of "=" and "==" while using this property. https://bugs.openjdk.org/browse/JDK-7133344 https://github.com/frohoff/jdk8u-dev-jdk/blob/master/src/share/lib/security/java.security-linux Thanks, Amit -Original Message- From: Berneburg, Cris J. - US Sent: Thursday, November 2, 2023 3:41 PM To: Tomcat Users List Subject: [External] RE: Java 9+ and custom JCE/JSSE providers CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. Amit > -Djava.security.properties=file:/path/to/java_security_properties_file That "file:" prefix looks like Spring syntax. Is the prefix needed on the JVM command line? -- Cris Berneburg CACI Senior Software Engineer -Original Message- From: Amit Pande Sent: Tuesday, October 31, 2023 10:23 AM To: Tomcat Users List Subject: Java 9+ and custom JCE/JSSE providers EXTERNAL EMAIL - This email originated from outside of CACI. Do not click any links or attachments unless you recognize and trust the sender. Hello, I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for version later than Java 8. Ran into an issue: 1. Was looking the configure the additional bouncy castle providers in the Java install itself by: * Modifying the java.security file to add providers. * Place the jars in the Java'e lib/ext directory. 2. However, from Java 9+, the lib/ext directory is no longer present (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) 3. The alternate I attempted was to place the additional provider jars in Tomcat's lib directory. 4. Create a java security properties file with: security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX 1. Launch Tomcat with JVM option -Djava.security.properties=file:/path/to/java_security_properties_file 2. However, I noticed that these BC providers weren't getting loaded. I see a comment from Chris here - https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html "I don't see any place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the administrator in some way." Not sure if it's relevant here. But wanted to know if there is any way to configure Tomcat for Java 9+ with custom JSSE/JCE providers (with just config change) ? Maybe I missed something? Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat 9, by registering a custom listener and adding providers there. Will soon update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. Thanks, Amit This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Java 9+ and custom JCE/JSSE providers
Setting CLASSPATH worked perfectly! Thank you so much Mark! Thanks, Amit -Original Message- From: Mark Thomas Sent: Tuesday, October 31, 2023 2:47 PM To: users@tomcat.apache.org Subject: [External] Re: Java 9+ and custom JCE/JSSE providers CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. On 31/10/2023 14:22, Amit Pande wrote: > Hello, > > I am in the process of updating https://github.com/amitlpande/tomcat-9-fips > page for version later than Java 8. > > Ran into an issue: > > >1. Was looking the configure the additional bouncy castle providers in > the Java install itself by: > * Modifying the java.security file to add providers. > * Place the jars in the Java'e lib/ext directory. >2. However, from Java 9+, the lib/ext directory is no longer present > (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) >3. The alternate I attempted was to place the additional provider jars in > Tomcat's lib directory. >4. Create a java security properties file with: > > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > fips:BCFIPS > security.provider.3=sun.security.provider.Sun > ssl.KeyManagerFactory.algorithm=PKIX > ssl.TrustManagerFactory.algorithm=PKIX > >1. Launch Tomcat with JVM option > -Djava.security.properties=file:/path/to/java_security_properties_file >2. However, I noticed that these BC providers weren't getting loaded. You'll also need to add the JARS containing the providers to the class path so the JRE can load them. You should be able to do that (and set java.security.properties) in setenv.sh|bat Mark > > > > > > > I see a comment from Chris here - > https://www/. > mail-archive.com%2Fusers%40tomcat.apache.org%2Fmsg137824.html=05% > 7C01%7CAmit.Pande%40veritas.com%7C4bcc30de9820433b280308dbda4a443a%7Cf > c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638343784744378375%7CUnknown > %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ > XVCI6Mn0%3D%7C3000%7C%7C%7C=SgG9b6ilBMEGwV5nedIdX9XcXXDGHqbyQmva > 14m8xwI%3D=0 "I don't see any place in Tomcat to specify the > JSSE provider. Perhaps we should expose that to the administrator in some > way." > > Not sure if it's relevant here. > > But wanted to know if there is any way to configure Tomcat for Java 9+ with > custom JSSE/JCE providers (with just config change) ? Maybe I missed > something? > > Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat > 9, by registering a custom listener and adding providers there. Will soon > update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. > > Thanks, > Amit > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Java 9+ and custom JCE/JSSE providers
Adding the provider jars to CLASSPATH solved the issue. Thank you so much Mark for your quick feedback. Thanks, Amit -Original Message- From: Mark Thomas Sent: Tuesday, October 31, 2023 2:47 PM To: users@tomcat.apache.org Subject: [External] Re: Java 9+ and custom JCE/JSSE providers CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. On 31/10/2023 14:22, Amit Pande wrote: > Hello, > > I am in the process of updating https://github.com/amitlpande/tomcat-9-fips > page for version later than Java 8. > > Ran into an issue: > > >1. Was looking the configure the additional bouncy castle providers in > the Java install itself by: > * Modifying the java.security file to add providers. > * Place the jars in the Java'e lib/ext directory. >2. However, from Java 9+, the lib/ext directory is no longer present > (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) >3. The alternate I attempted was to place the additional provider jars in > Tomcat's lib directory. >4. Create a java security properties file with: > > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > fips:BCFIPS > security.provider.3=sun.security.provider.Sun > ssl.KeyManagerFactory.algorithm=PKIX > ssl.TrustManagerFactory.algorithm=PKIX > >1. Launch Tomcat with JVM option > -Djava.security.properties=file:/path/to/java_security_properties_file >2. However, I noticed that these BC providers weren't getting loaded. You'll also need to add the JARS containing the providers to the class path so the JRE can load them. You should be able to do that (and set java.security.properties) in setenv.sh|bat Mark > > > > > > > I see a comment from Chris here - > https://www/. > mail-archive.com%2Fusers%40tomcat.apache.org%2Fmsg137824.html=05% > 7C01%7CAmit.Pande%40veritas.com%7C4bcc30de9820433b280308dbda4a443a%7Cf > c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638343784744378375%7CUnknown > %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ > XVCI6Mn0%3D%7C3000%7C%7C%7C=SgG9b6ilBMEGwV5nedIdX9XcXXDGHqbyQmva > 14m8xwI%3D=0 "I don't see any place in Tomcat to specify the > JSSE provider. Perhaps we should expose that to the administrator in some > way." > > Not sure if it's relevant here. > > But wanted to know if there is any way to configure Tomcat for Java 9+ with > custom JSSE/JCE providers (with just config change) ? Maybe I missed > something? > > Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat > 9, by registering a custom listener and adding providers there. Will soon > update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. > > Thanks, > Amit > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
