Re: FIPS compliancy on Tomcat 7.00.062

Tue, 04 Aug 2015 05:20:12 -0700 

Hello Mark,

Thanks for your valuable suggestion.

We were successful in creating the pkcs12 keystore which picks up SHA256 as
shown below:

---------
[root]## /jre/b/bin/keytool -v -list -storetype pkcs12 -keystore
tomcat.keystore
Enter keystore password:

*Keystore type: PKCS12*
*Keystore provider: JsafeJCE*

Your keystore contains 1 entry

Alias name: ovtomcatb
Creation date: Aug 4, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView,
O=Hewlett-Packard, L=Palo Alto, ST=California, C=US
Issuer: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView,
O=Hewlett-Packard, L=Palo Alto, ST=California, C=US
Serial number: 65b4bcb8
Valid from: Thu Jul 23 14:55:21 IST 2015 until: Mon Apr 09 14:55:21 IST 2035
Certificate fingerprints:
         MD5:  9B:68:A8:C4:4C:81:FC:F6:06:CF:51:52:00:67:B1:E1
         SHA1: 4A:98:19:E4:42:34:B0:7D:8C:2B:AD:D5:38:15:79:77:2E:99:D1:10
         SHA256:
AD:17:98:07:BB:D3:CE:FE:43:D8:31:83:27:33:42:26:7E:E0:13:D6:71:5A:8E:54:9C:96:7A:B3:51:48:A3:E6
         Signature algorithm name: *SHA256withRSA*
         Version: 3
-----------

But still Tomcat does not run on the https port.
Any clue as to why this happens?

The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*
Could it be because I am not using an APR connector protocol?

Regards,
Nikitha

On Tue, Aug 4, 2015 at 2:37 PM, Mark Thomas <ma...@apache.org> wrote:

> On 04/08/2015 09:30, Nikitha Benny wrote:
> > Hello All,
> >
> > We are working on Tomcat 7.00.062 with java 1.08.045.
> > We require to configure FIPS compliancy on the Tomcat.
> >
> > We were successful in configuring FIPS compliancy on java 1.08.045.
> > A keystore file has already been created for Tomcat.
> >
> > When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
> > runs fine on the http server, but fails to run on the https server port.
> >
> > The java.security file is of JKS format.
> > We tried converting from JKS to PKCS12 format, which gave us the below
> > result:
> >
> > [root]## *keytool -importkeystore -srckeystore tomcat.keystore
> > -destkeystore tomcatpkcs2.keystore*
> > Import command completed:  1 entries successfully imported, 0 entries
> > failed or cancelled
> >
> > [root]## *keytool -v -list -storetype pkcs12 -keystore
> tomcatpkcs2.keystore*
> > keytool error: java.io.IOException: Error decoding PKCS 12 input.
> > java.io.IOException: Error decoding PKCS 12 input.
> >         at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
> >         at java.security.KeyStore.load(KeyStore.java:1445)
> >         at sun.security.tools.keytool.Main.doCommands(Main.java:792)
> >         at sun.security.tools.keytool.Main.run(Main.java:340)
> >         at sun.security.tools.keytool.Main.main(Main.java:333)
> >
> > -------
> >
> > Also we tried to create a new keystore file entirely of PKCS12 format,
> > which resulted as below:
> >
> > [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
> > -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
> > <http://IWFVM01284.hpswlabs.adapps.hp.com>, OU=OpenView,
> O=Hewlett-Packard,
> > L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
> > -keystore tomcatmypkcs12.kestore -storetype pkcs12*
> >
> > When we list the keystore file, it throws the below exception.
> > It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
> > compliant.
>
> That looks like you are using an old version of keytool. The default
> signature algorithm for an RSA key should be SHA256withRSA for Java 8.
>
> Try explicitly specifying "-sigalg SHA256withRSA" when you generate the
> key with keytool.
>
> Mark
>
>
> >
> > [root]## *keytool -v -list -storetype pkcs12 -keystore
> > tomcatmypkcs12.kestore*
> > Enter keystore password: (password given)
> > keytool error: java.lang.SecurityException: Algorithm not allowable in
> > FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
> > java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
> > PBE/PKCS12*/SHA1*/RC2/CBC/40
> >         at com.rsa.cryptoj.o.cc.c(Unknown Source)
> >         at com.rsa.cryptoj.o.ci.c(Unknown Source)
> >         at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
> >         at com.rsa.cryptoj.o.dh.d(Unknown Source)
> >         at com.rsa.cryptoj.o.gf.<init>(Unknown Source)
> >         at com.rsa.cryptoj.o.gk.<init>(Unknown Source)
> >         at com.rsa.cryptoj.o.gp.<init>(Unknown Source)
> >         at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
> >         at com.rsa.cryptoj.o.kg.a(Unknown Source)
> >         at com.rsa.cryptoj.o.kg.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.b(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.a(Unknown Source)
> >         at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
> >         at java.security.KeyStore.load(KeyStore.java:1445)
> >         at sun.security.tools.keytool.Main.doCommands(Main.java:889)
> >         at sun.security.tools.keytool.Main.run(Main.java:340)
> >         at sun.security.tools.keytool.Main.main(Main.java:333)
> >
> > Is there a possibiltiy where it can pickup SHA256 ?
> >
> > Regards,
> > Nikitha
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to