Thanks Chris! Please find the inline comments from my side
On 1/29/15 12:45 AM, Geett Chanddra Singha wrote: > I'm getting the following error when enabling FIPS mode on Apache > Tomcat: > > Jan 28, 2015 5:02:33 PM > org.apache.catalina.core.AprLifecycleListener lifecycleEvent > > SEVERE: Failed to initialize the SSLEngine. > > java.lang.Exception: error:2D06C06E:FIPS > routines:FIPS_mode_set:fingerprint does not match > > at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method) Chris : Looks like your fingerprint doesn't match. Geet: Could you please explain the meaning of the "FIPS_mode_set:fingerprint does not match".It will be helpful for me as I am trying for FIPS mode configuration for the first time. > *Steps I followed to configure: * > > Added the following in server.xml > > <Server port="8006" shutdown="SHUTDOWN"> > > > <!-- Comment these entries out to disable JMX MBeans support used > for the > > administration web application --> > > <Listener > className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" FIPSMode="on"/> > -------------------------------------------------------------------------------------------------- > > 1.) Installing tomcat apr: > > Download from http://apache.mirror.anlx.net/apr/apr-1.5.1.tar.gz Chris :What UNIX are you running? Are you sure you have to build this all yourself? Geett: I am trying on Linux RHEL.6.0_x64. Yes, I got the steps from internet. > tar zxvf apr-1.5.1.tar.gz > > rm apr-1.5.1.tar.gz > > cd apr-1.5.1 * > > sudo ./configure > > sudo make > > sudo make install Chris: Why did you build this as root? Geett: I am trying on Linux RHEL.6.0_x64 test machine. > export LD_LIBRARY_PATH='$LD_LIBRARY_PATH:/usr/local/apr/lib' > > 2.) Installing tomcat tomcat-native: > > Download > > http://apache.bytenet.in/tomcat/tomcat-connectors/native/1.1.32/source/tomcat-native-1.1.32-src.tar.gz > > tar zxvf tomcat-native-1.1.32-src.tar.gz > > rm tomcat-native-1.1.32-src.tar.gz > > cd tomcat-native-1.1.32-src/jni/native > > JAVA_HOME=/usr/lib/jvm/<JAVA_HOME> > > sudo ./configure --with-apr=/usr/local/apr > --with-java-home=$JAVA_HOME > > sudo make > > sudo make install > > > > 3.) Adding the following line > > CATALINA_OPTS="$CATALINA_OPTS > -Djava.library.path=/usr/local/apr/lib" > > 4.) Restarting Tomcat > > Pl > > Please help me resolve this issue and please let me know if i > missed any step. Chris: I didn't see the part where your built OpenSSL with FIPS. Did you do that? Geett: Steps followed to build FIPS tar zxf openssl-1.0.1l.tar.gz cd openssl-1.0.1l ./config --prefix=/usr/local --with-fipsdir=/usr/local/ssl/fips-2.0 make make install Note: I have installed the FIPS module in /usr/local/ssl/fips-2.0 Please suggest me to resolve the issue. Regards, Geett Chanddra Singha On Thu, Jan 29, 2015 at 8:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Geett, > > On 1/29/15 12:45 AM, Geett Chanddra Singha wrote: > > I'm getting the following error when enabling FIPS mode on Apache > > Tomcat: > > > > Jan 28, 2015 5:02:33 PM > > org.apache.catalina.core.AprLifecycleListener lifecycleEvent > > > > SEVERE: Failed to initialize the SSLEngine. > > > > java.lang.Exception: error:2D06C06E:FIPS > > routines:FIPS_mode_set:fingerprint does not match > > > > at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method) > > Looks like your fingerprint doesn't match. > > > *Steps I followed to configure: * > > > > Added the following in server.xml > > > > <Server port="8006" shutdown="SHUTDOWN"> > > > > > > <!-- Comment these entries out to disable JMX MBeans support used > > for the > > > > administration web application --> > > > > <Listener > > className="org.apache.catalina.core.AprLifecycleListener" > > SSLEngine="on" FIPSMode="on"/> > > > -------------------------------------------------------------------------------------------------- > > > > 1.) Installing tomcat apr: > > > > Download from http://apache.mirror.anlx.net/apr/apr-1.5.1.tar.gz > > What UNIX are you running? Are you sure you have to build this all > yourself? > > > tar zxvf apr-1.5.1.tar.gz > > > > rm apr-1.5.1.tar.gz > > > > cd apr-1.5.1 * > > > > sudo ./configure > > > > sudo make > > > > sudo make install > > Why did you build this as root? > > > export LD_LIBRARY_PATH='$LD_LIBRARY_PATH:/usr/local/apr/lib' > > > > 2.) Installing tomcat tomcat-native: > > > > Download > > > > > http://apache.bytenet.in/tomcat/tomcat-connectors/native/1.1.32/source/tomcat-native-1.1.32-src.tar.gz > > > > tar zxvf tomcat-native-1.1.32-src.tar.gz > > > > rm tomcat-native-1.1.32-src.tar.gz > > > > cd tomcat-native-1.1.32-src/jni/native > > > > JAVA_HOME=/usr/lib/jvm/<JAVA_HOME> > > > > sudo ./configure --with-apr=/usr/local/apr > > --with-java-home=$JAVA_HOME > > > > sudo make > > > > sudo make install > > > > > > > > 3.) Adding the following line > > > > CATALINA_OPTS="$CATALINA_OPTS > > -Djava.library.path=/usr/local/apr/lib" > > > > 4.) Restarting Tomcat > > > > Pl > > > > Please help me resolve this issue and please let me know if i > > missed any step. > > I didn't see the part where your built OpenSSL with FIPS. Did you do that? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUylHjAAoJEBzwKT+lPKRYBacP/2NTeUf4/ozIkSirUPPmDgz+ > hbxyoG8HbMwllLqyO4tjD9+7/iX2VxDwALZIOaU3/x1XitXdheXHeaXubFAqVePH > TOmG7zoUHZ+wvJwXz5DztpV7GrpK2j3TgaKGPMS8Rjf6hSEgUdNg1Oc7Uqac0TlX > OwRjEwb8ARAY3OXqZ2IkQsXqJ20qfEwc+7q0/VY+Y3ll4ixKQkQkqFnRi2WU3C4S > ZGSCPwVIczjC9rM3CsPAXtqXVjAOO18ZJ+6fpHXL4hocWrdjpeuUF/1soVgL+rEC > 86SwpZ+KNb+BapdbNIkmWCIVqlJGsTlRP0Xi9DGSJ9L9CqS2gCrLr00aAhM+9IaX > BUbmB7FZZjs299ByU3LDd/HlUiWlyfvb8mPzsLN4fBfWWICpqV5NoUgV/tgLn4l+ > UXBbRiL0pYv2HJTvswNTxBrmNdwiJhf7Iy/F9Dvxp479Tr1UVRV07NsHCSt7MGeg > AXcyK0GskJd5BZDq1KUYLhugsuTVj8HJ0YMVrzd4/DJEpgpL0JWdUcedYj6Jw9mU > UWrx4wUz2plUd6E1AURnVTIxoxh4Mm40DuhR+Vj10amRClisMe4CuIrRDs0LvGE7 > OKE0oQk9NW90b2dl2nF61uZHyX00ramVI+7MVv6/L7EoEJ+Hmyq2mAZEJKO4zuXR > lHlurY8fg3E/hsDM6+gI > =hB4i > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks & Regards Geett Chanddra Singha