Hi Christopher Schultz,
I am sorry for the inconvenience caused.

Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It
gives an error "Failed to enter fips mode".

Software Specifications:
> Tomcat version - 9.0.34
> Openssl version - 3.0.2
> OS - Windows Server 2019 64-bit

I tried building the Tomcat Native native library with APR(1.7.0) ,
Openssl(3.0.2) and Tomcat Native library (1.2.32).

The openssl 3.0.2 along with the FIPS got built successfully.

Since FIPS Object Module Package is already integrated with the openssl
3.0, There is no separate package for it. So I have built the Tomcat Native
library and it got built successfully. But when i tried to put the
1. *tcnative-1.dll* in the *Bin folder of Tomcat 9\*
*2. Adding the FIPSMODE="on" for the APR listener*
*3. Added the **HTTPS connector to use Native (OpenSSL) implementation of
SSL/TLS protocol.*
*4. Restarted the Tomcat and checked the catalina.log*

*The Fips mode is not getting enabled, shows the log error "*Failed to
enter fips mode*" and along with that it also states "** FIPS was not
available to tcnative at build time".*

*T*he same steps i have performed for the Openssl version 1.0.2 along with
the FIPS Object Module Package, There Tomcat was able to initialize FIPS
mode and Tomcat started with the FIPS mode.

Is there any way to overcome this issue?
Please do let me know any solution for this issue.

Thanks,
Rupesh.



On Tue, May 17, 2022 at 10:02 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Rupesh,
>
> Sorry for top-posting, but all of your screenshots were stripped-out of
> your original post. Can you please provide text-only information for the
> mailing list?
>
> Thanks,
> -chris
>
> On 5/17/22 05:07, Rupesh P wrote:
> > Good Evening,
> > I have a issue while enabling the FIPS mode in Tomcat9 for windows where
> > it throws me an error "Failed to enter fips mode". Below are the detail
> > explanation and content. Sorry for the length but I am trying to provide
> > all of the relevant details in hopes that the solution to this issue
> > will be easily identifiable.
> >
> > *Method 1:*
> >
> > Software Specifications:
> > Tomcat version - 9.0.34
> > Openssl version - 3.0.2
> > OS - Windows Server 2019 64-bit
> >
> > I have installed the openssl version (3.0.2) along with the FIPS Module
> > installation as per the steps mentioned in the wiki
> > (
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > <
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> >).
> >
> > The openssl 3.0.2 and fips module got installed successfully.
> >
> > openssl version.PNG
> >
> >
> > Post installation of Openssl,  I tried enabling the FIPS mode in
> > tomcat9, For that I have performed:
> >
> >  1. Added the FIPSMODE="on" for APR listener in the server.xml of
> Tomcat9.
> >  2. Restarted the Tomcat server.
> >  3. But FIPS Mode was not enabled.
> >
> > Fipsmode server xml.PNG
> >
> > fips error1.PNG
> >
> > *Method 2:*
> > *
> > *
> >   I researched on the web and found a few links and references for
> > enabling the FIPS mode in tomcat, but that is for the older version of
> > openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS
> > Object Module 2.0.16 as external package and building it with tcnative
> > library.
> >
> > The steps are:
> >
> > Building the OpenSSL
> > Building APR
> > Building Tomcat native library.
> > Adding the FIPSMode="on" for the APR listener.
> > The link of the reference:
> >
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> > <
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> >
> >
> > I followed the same steps and tried building the tomcat native library
> > except omitting the FIPS Object module build setup, since in our case
> > FIPS FOM is integrated with openssl 3.0 .
> >
> > The versions of the modules i used:
> >
> > OPENSSL 3.0.2
> > APR version 1.7.0
> > Tomcat Native library 1.2.32
> > I have successfully built the tomcat native library and tried putting it
> > in the bin folder and restarted the tomcat service. But there i get an
> > another error message stating "FIPS was not available to tcnative at
> > build time".*
> > *
> > fips error.PNG
> >
> > There was a switch or parameter which is being passed to build tcnative
> > along with FIPS, When i tried building the tcnative with that parameter,
> > i get an error.
> > native error.PNG
> >
> > The command that i used for building tcnative is:
> > nmake -f NMAKEMakefile BUILD_CPU=x64
> >
> WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
>
> >
> WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
>
> > APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1
> >
> > Without the WITH_FIPS=1 parameter the tcnative is getting built
> > successfully.
> >
> > So these are the findings i have made. Is there any way to overcome this
> > issue?
> > Please do let me know if there are any other option or ways to resolve
> > this error(To enable FIPS mode in Tomcat9).
> >
> >
> > Thanks,
> >
> > Rupesh P.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to