On 04/08/2015 09:30, Nikitha Benny wrote: > Hello All, > > We are working on Tomcat 7.00.062 with java 1.08.045. > We require to configure FIPS compliancy on the Tomcat. > > We were successful in configuring FIPS compliancy on java 1.08.045. > A keystore file has already been created for Tomcat. > > When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it > runs fine on the http server, but fails to run on the https server port. > > The java.security file is of JKS format. > We tried converting from JKS to PKCS12 format, which gave us the below > result: > > [root]## *keytool -importkeystore -srckeystore tomcat.keystore > -destkeystore tomcatpkcs2.keystore* > Import command completed: 1 entries successfully imported, 0 entries > failed or cancelled > > [root]## *keytool -v -list -storetype pkcs12 -keystore tomcatpkcs2.keystore* > keytool error: java.io.IOException: Error decoding PKCS 12 input. > java.io.IOException: Error decoding PKCS 12 input. > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source) > at java.security.KeyStore.load(KeyStore.java:1445) > at sun.security.tools.keytool.Main.doCommands(Main.java:792) > at sun.security.tools.keytool.Main.run(Main.java:340) > at sun.security.tools.keytool.Main.main(Main.java:333) > > ------- > > Also we tried to create a new keystore file entirely of PKCS12 format, > which resulted as below: > > [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048 > -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com > <http://IWFVM01284.hpswlabs.adapps.hp.com>, OU=OpenView, O=Hewlett-Packard, > L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit > -keystore tomcatmypkcs12.kestore -storetype pkcs12* > > When we list the keystore file, it throws the below exception. > It looks like it picks up SHA1 (instead of SHA256) which is not FIPS > compliant.
That looks like you are using an old version of keytool. The default signature algorithm for an RSA key should be SHA256withRSA for Java 8. Try explicitly specifying "-sigalg SHA256withRSA" when you generate the key with keytool. Mark > > [root]## *keytool -v -list -storetype pkcs12 -keystore > tomcatmypkcs12.kestore* > Enter keystore password: (password given) > keytool error: java.lang.SecurityException: Algorithm not allowable in > FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40 > java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: > PBE/PKCS12*/SHA1*/RC2/CBC/40 > at com.rsa.cryptoj.o.cc.c(Unknown Source) > at com.rsa.cryptoj.o.ci.c(Unknown Source) > at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source) > at com.rsa.cryptoj.o.dh.d(Unknown Source) > at com.rsa.cryptoj.o.gf.<init>(Unknown Source) > at com.rsa.cryptoj.o.gk.<init>(Unknown Source) > at com.rsa.cryptoj.o.gp.<init>(Unknown Source) > at com.rsa.cryptoj.o.kf$17.a(Unknown Source) > at com.rsa.cryptoj.o.kg.a(Unknown Source) > at com.rsa.cryptoj.o.kg.a(Unknown Source) > at com.rsa.cryptoj.o.lp.a(Unknown Source) > at com.rsa.cryptoj.o.lp.b(Unknown Source) > at com.rsa.cryptoj.o.lp.a(Unknown Source) > at com.rsa.cryptoj.o.lp.a(Unknown Source) > at com.rsa.cryptoj.o.lp.a(Unknown Source) > at com.rsa.cryptoj.o.lp.a(Unknown Source) > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source) > at java.security.KeyStore.load(KeyStore.java:1445) > at sun.security.tools.keytool.Main.doCommands(Main.java:889) > at sun.security.tools.keytool.Main.run(Main.java:340) > at sun.security.tools.keytool.Main.main(Main.java:333) > > Is there a possibiltiy where it can pickup SHA256 ? > > Regards, > Nikitha > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
