On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Robert, > > On 8/24/20 11:04, Robert Hicks wrote: > > Maybe it's just better to straight up ask. I've found a couple of > > Google searches but nothing for Tomcat 9 and the information seems > > sporadic, incomplete, or contradictory. > > > > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)? > > The Sun/Oracle-provided crypto providers should already be FIPS-140 > certified, as long as you use them in the proper configuration. > > There is nothing Tomcat-specific about enabling FIPS for the SunJCE > provider because it needs to be done at the JRE-level. > > This document is WebLogic-centric, but it shows how to enable FIPS-140 > mode for the whole JVM and therefore isn't WebLogic-specific, either: > > https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm > > Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when > that module is in use, but we don't do anything about the built-in > providers. Given the information in that document above, it looks like > it's possible to trigger a test to determine whether FIPS is indeed > active; perhaps Tomcat could initiate such a test as a sanity-check if > FIPS-mode is "required" (through some as-yet-determined configuration > option). > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8 > pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm > DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD > ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE > L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c > 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj > RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV > SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1 > pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty > gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8 > JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo > g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k= > =N6LM > -----END PGP SIGNATURE----- > Thanks Chris! Bob