Re: Tomcat 9 and FIP-140 mode
Follow on question as we are in the weeds on this now. OpenSSL is in FIPS mode. The JDK is in FIPS mode. I think Tomcat is as the Listener has SSLEngine="on" and FIPSMODE="on" but I am still getting the following errors: failed to set property [FIPSMODE] to [on] In reading around, does the connector for the Http11AprProtocol need to be configured as well? It is currently commented out but the section on "configure the server.xml" here leads me to believe it needs to be: https://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling -- Bob On Mon, Aug 24, 2020 at 2:49 PM Robert Hicks wrote: > > > On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Robert, >> >> On 8/24/20 11:04, Robert Hicks wrote: >> > Maybe it's just better to straight up ask. I've found a couple of >> > Google searches but nothing for Tomcat 9 and the information seems >> > sporadic, incomplete, or contradictory. >> > >> > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? >> >> The Sun/Oracle-provided crypto providers should already be FIPS-140 >> certified, as long as you use them in the proper configuration. >> >> There is nothing Tomcat-specific about enabling FIPS for the SunJCE >> provider because it needs to be done at the JRE-level. >> >> This document is WebLogic-centric, but it shows how to enable FIPS-140 >> mode for the whole JVM and therefore isn't WebLogic-specific, either: >> >> https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm >> >> Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when >> that module is in use, but we don't do anything about the built-in >> providers. Given the information in that document above, it looks like >> it's possible to trigger a test to determine whether FIPS is indeed >> active; perhaps Tomcat could initiate such a test as a sanity-check if >> FIPS-mode is "required" (through some as-yet-determined configuration >> option). >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8 >> pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm >> DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD >> ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE >> L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c >> 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj >> RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV >> SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1 >> pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty >> gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8 >> JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo >> g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k= >> =N6LM >> -END PGP SIGNATURE- >> > > Thanks Chris! > > Bob >
Re: Tomcat 9 and FIP-140 mode
On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Robert, > > On 8/24/20 11:04, Robert Hicks wrote: > > Maybe it's just better to straight up ask. I've found a couple of > > Google searches but nothing for Tomcat 9 and the information seems > > sporadic, incomplete, or contradictory. > > > > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? > > The Sun/Oracle-provided crypto providers should already be FIPS-140 > certified, as long as you use them in the proper configuration. > > There is nothing Tomcat-specific about enabling FIPS for the SunJCE > provider because it needs to be done at the JRE-level. > > This document is WebLogic-centric, but it shows how to enable FIPS-140 > mode for the whole JVM and therefore isn't WebLogic-specific, either: > > https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm > > Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when > that module is in use, but we don't do anything about the built-in > providers. Given the information in that document above, it looks like > it's possible to trigger a test to determine whether FIPS is indeed > active; perhaps Tomcat could initiate such a test as a sanity-check if > FIPS-mode is "required" (through some as-yet-determined configuration > option). > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8 > pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm > DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD > ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE > L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c > 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj > RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV > SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1 > pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty > gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8 > JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo > g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k= > =N6LM > -END PGP SIGNATURE- > Thanks Chris! Bob
Re: Tomcat 9 and FIP-140 mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert, On 8/24/20 11:04, Robert Hicks wrote: > Maybe it's just better to straight up ask. I've found a couple of > Google searches but nothing for Tomcat 9 and the information seems > sporadic, incomplete, or contradictory. > > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? The Sun/Oracle-provided crypto providers should already be FIPS-140 certified, as long as you use them in the proper configuration. There is nothing Tomcat-specific about enabling FIPS for the SunJCE provider because it needs to be done at the JRE-level. This document is WebLogic-centric, but it shows how to enable FIPS-140 mode for the whole JVM and therefore isn't WebLogic-specific, either: https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when that module is in use, but we don't do anything about the built-in providers. Given the information in that document above, it looks like it's possible to trigger a test to determine whether FIPS is indeed active; perhaps Tomcat could initiate such a test as a sanity-check if FIPS-mode is "required" (through some as-yet-determined configuration option). - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8 pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1 pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8 JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k= =N6LM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9 and FIP-140 mode
Maybe it's just better to straight up ask. I've found a couple of Google searches but nothing for Tomcat 9 and the information seems sporadic, incomplete, or contradictory. How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? Thanks in advance. -- Bob
