Hello Mark, Thanks for your valuable suggestion.
We were successful in creating the pkcs12 keystore which picks up SHA256 as shown below: --------- [root]## /jre/b/bin/keytool -v -list -storetype pkcs12 -keystore tomcat.keystore Enter keystore password: *Keystore type: PKCS12* *Keystore provider: JsafeJCE* Your keystore contains 1 entry Alias name: ovtomcatb Creation date: Aug 4, 2015 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView, O=Hewlett-Packard, L=Palo Alto, ST=California, C=US Issuer: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView, O=Hewlett-Packard, L=Palo Alto, ST=California, C=US Serial number: 65b4bcb8 Valid from: Thu Jul 23 14:55:21 IST 2015 until: Mon Apr 09 14:55:21 IST 2035 Certificate fingerprints: MD5: 9B:68:A8:C4:4C:81:FC:F6:06:CF:51:52:00:67:B1:E1 SHA1: 4A:98:19:E4:42:34:B0:7D:8C:2B:AD:D5:38:15:79:77:2E:99:D1:10 SHA256: AD:17:98:07:BB:D3:CE:FE:43:D8:31:83:27:33:42:26:7E:E0:13:D6:71:5A:8E:54:9C:96:7A:B3:51:48:A3:E6 Signature algorithm name: *SHA256withRSA* Version: 3 ----------- But still Tomcat does not run on the https port. Any clue as to why this happens? The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".* Could it be because I am not using an APR connector protocol? Regards, Nikitha On Tue, Aug 4, 2015 at 2:37 PM, Mark Thomas <ma...@apache.org> wrote: > On 04/08/2015 09:30, Nikitha Benny wrote: > > Hello All, > > > > We are working on Tomcat 7.00.062 with java 1.08.045. > > We require to configure FIPS compliancy on the Tomcat. > > > > We were successful in configuring FIPS compliancy on java 1.08.045. > > A keystore file has already been created for Tomcat. > > > > When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it > > runs fine on the http server, but fails to run on the https server port. > > > > The java.security file is of JKS format. > > We tried converting from JKS to PKCS12 format, which gave us the below > > result: > > > > [root]## *keytool -importkeystore -srckeystore tomcat.keystore > > -destkeystore tomcatpkcs2.keystore* > > Import command completed: 1 entries successfully imported, 0 entries > > failed or cancelled > > > > [root]## *keytool -v -list -storetype pkcs12 -keystore > tomcatpkcs2.keystore* > > keytool error: java.io.IOException: Error decoding PKCS 12 input. > > java.io.IOException: Error decoding PKCS 12 input. > > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source) > > at java.security.KeyStore.load(KeyStore.java:1445) > > at sun.security.tools.keytool.Main.doCommands(Main.java:792) > > at sun.security.tools.keytool.Main.run(Main.java:340) > > at sun.security.tools.keytool.Main.main(Main.java:333) > > > > ------- > > > > Also we tried to create a new keystore file entirely of PKCS12 format, > > which resulted as below: > > > > [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048 > > -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com > > <http://IWFVM01284.hpswlabs.adapps.hp.com>, OU=OpenView, > O=Hewlett-Packard, > > L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit > > -keystore tomcatmypkcs12.kestore -storetype pkcs12* > > > > When we list the keystore file, it throws the below exception. > > It looks like it picks up SHA1 (instead of SHA256) which is not FIPS > > compliant. > > That looks like you are using an old version of keytool. The default > signature algorithm for an RSA key should be SHA256withRSA for Java 8. > > Try explicitly specifying "-sigalg SHA256withRSA" when you generate the > key with keytool. > > Mark > > > > > > [root]## *keytool -v -list -storetype pkcs12 -keystore > > tomcatmypkcs12.kestore* > > Enter keystore password: (password given) > > keytool error: java.lang.SecurityException: Algorithm not allowable in > > FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40 > > java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: > > PBE/PKCS12*/SHA1*/RC2/CBC/40 > > at com.rsa.cryptoj.o.cc.c(Unknown Source) > > at com.rsa.cryptoj.o.ci.c(Unknown Source) > > at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source) > > at com.rsa.cryptoj.o.dh.d(Unknown Source) > > at com.rsa.cryptoj.o.gf.<init>(Unknown Source) > > at com.rsa.cryptoj.o.gk.<init>(Unknown Source) > > at com.rsa.cryptoj.o.gp.<init>(Unknown Source) > > at com.rsa.cryptoj.o.kf$17.a(Unknown Source) > > at com.rsa.cryptoj.o.kg.a(Unknown Source) > > at com.rsa.cryptoj.o.kg.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.b(Unknown Source) > > at com.rsa.cryptoj.o.lp.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.a(Unknown Source) > > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source) > > at java.security.KeyStore.load(KeyStore.java:1445) > > at sun.security.tools.keytool.Main.doCommands(Main.java:889) > > at sun.security.tools.keytool.Main.run(Main.java:340) > > at sun.security.tools.keytool.Main.main(Main.java:333) > > > > Is there a possibiltiy where it can pickup SHA256 ? > > > > Regards, > > Nikitha > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >