-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert,
On 8/24/20 11:04, Robert Hicks wrote: > Maybe it's just better to straight up ask. I've found a couple of > Google searches but nothing for Tomcat 9 and the information seems > sporadic, incomplete, or contradictory. > > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? The Sun/Oracle-provided crypto providers should already be FIPS-140 certified, as long as you use them in the proper configuration. There is nothing Tomcat-specific about enabling FIPS for the SunJCE provider because it needs to be done at the JRE-level. This document is WebLogic-centric, but it shows how to enable FIPS-140 mode for the whole JVM and therefore isn't WebLogic-specific, either: https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when that module is in use, but we don't do anything about the built-in providers. Given the information in that document above, it looks like it's possible to trigger a test to determine whether FIPS is indeed active; perhaps Tomcat could initiate such a test as a sanity-check if FIPS-mode is "required" (through some as-yet-determined configuration option). - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8 pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1 pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8 JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k= =N6LM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org