Rupesh,
Sorry for top-posting, but all of your screenshots were stripped-out of
your original post. Can you please provide text-only information for the
mailing list?
Thanks,
-chris
On 5/17/22 05:07, Rupesh P wrote:
Good Evening,
I have a issue while enabling the FIPS mode in Tomcat9 for windows where
it throws me an error "Failed to enter fips mode". Below are the detail
explanation and content. Sorry for the length but I am trying to provide
all of the relevant details in hopes that the solution to this issue
will be easily identifiable.
*Method 1:*
Software Specifications:
Tomcat version - 9.0.34
Openssl version - 3.0.2
OS - Windows Server 2019 64-bit
I have installed the openssl version (3.0.2) along with the FIPS Module
installation as per the steps mentioned in the wiki
(https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
<https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0>).
The openssl 3.0.2 and fips module got installed successfully.
openssl version.PNG
Post installation of Openssl, I tried enabling the FIPS mode in
tomcat9, For that I have performed:
1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9.
2. Restarted the Tomcat server.
3. But FIPS Mode was not enabled.
Fipsmode server xml.PNG
fips error1.PNG
*Method 2:*
*
*
I researched on the web and found a few links and references for
enabling the FIPS mode in tomcat, but that is for the older version of
openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS
Object Module 2.0.16 as external package and building it with tcnative
library.
The steps are:
Building the OpenSSL
Building APR
Building Tomcat native library.
Adding the FIPSMode="on" for the APR listener.
The link of the reference:
https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
<https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/>
I followed the same steps and tried building the tomcat native library
except omitting the FIPS Object module build setup, since in our case
FIPS FOM is integrated with openssl 3.0 .
The versions of the modules i used:
OPENSSL 3.0.2
APR version 1.7.0
Tomcat Native library 1.2.32
I have successfully built the tomcat native library and tried putting it
in the bin folder and restarted the tomcat service. But there i get an
another error message stating "FIPS was not available to tcnative at
build time".*
*
fips error.PNG
There was a switch or parameter which is being passed to build tcnative
along with FIPS, When i tried building the tcnative with that parameter,
i get an error.
native error.PNG
The command that i used for building tcnative is:
nmake -f NMAKEMakefile BUILD_CPU=x64
WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1
Without the WITH_FIPS=1 parameter the tcnative is getting built
successfully.
So these are the findings i have made. Is there any way to overcome this
issue?
Please do let me know if there are any other option or ways to resolve
this error(To enable FIPS mode in Tomcat9).
Thanks,
Rupesh P.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
