You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Nithesh Kb <ni...@gmail.com> on 2015/12/03 20:09:41 UTC

Tomcat FIPS with FIPS capable OpenSSL

HI Tomcat Experts,
I'm trying to enable fips mode in tomcat but i get these exception,

*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*

*Steps that i have followed,*
*1. Built FIPS Capable Openssl*


Thanks,
Nithesh

Re: Tomcat FIPS with FIPS capable OpenSSL

Posted by Nithesh Kb <ni...@gmail.com>.

HI Chris,

i added this while installing tc native  --with-ssl=/usr/local/ssl/ and it
worked.
I have tried it on Linux, and windows i'll try the same shortly.


Thanks,
Nithesh

On Fri, Dec 4, 2015 at 11:38 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> Nitish,
>
> On 12/3/15 2:36 PM, Nithesh Kb wrote:
> > Wow Amazing worked!!!
>
> Glad to hear it worked. What did you have to do?
>
> You never said, but do you happen to be on Windows?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat FIPS with FIPS capable OpenSSL

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Nitish,

On 12/3/15 2:36 PM, Nithesh Kb wrote:
> Wow Amazing worked!!!

Glad to hear it worked. What did you have to do?

You never said, but do you happen to be on Windows?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat FIPS with FIPS capable OpenSSL

Posted by Nithesh Kb <ni...@gmail.com>.

Wow Amazing worked!!!

04-Dec-2015 00:45:30.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-2015 00:45:30.500 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
04-Dec-2015 00:45:30.561 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...
04-Dec-2015 00:45:30.576 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully
entered FIPS mode
04-Dec-2015 00:45:30.577 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-2015 00:45:30.935 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["http-apr-8080"]
04-Dec-2015 00:45:30.973 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["ajp-apr-8009"]
04-Dec-2015 00:45:30.976 INFO [main]
org.apache.catalina.startup.Catalina.load Initialization processed in 2308
ms



On Fri, Dec 4, 2015 at 12:47 AM, Nithesh Kb <ni...@gmail.com> wrote:

> *HI Tomcat Experts,*
> *I'm trying to enable fips mode in tomcat but i get these exception,*
>
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>
> *Steps that i have followed,*
> *1. Built FIPS Capable Openssl [**https://www.openssl.org/docs/UserGuide-2.0.pdf
> <https://www.openssl.org/docs/UserGuide-2.0.pdf>**]*
> *2. Installed tomcat APR and APR util [**http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling
> <http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling>*
> *]*
> *3. Installed TC-native *
>
> *Changes made in server.xml*
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
>  SSLEngine="on" FIPSMode="on" />
>
>
> 	<Connector
>         port="8080"
>         protocol="org.apache.coyote.http11.Http11AprProtocol"
>         secure="false"
>         SSLEnabled="false"
>         scheme="http"
>         URIEncoding="UTF-8"
>         enableLookups="true"
>         acceptCount="10"
>         server="NA"/>
>
> *and the exception for this,*
> *   04-Dec-2015 00:00:34.725 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
> based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.*
> *04-Dec-2015 00:00:34.725 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].*
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
> * at
> org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)*
> * at
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)*
>
> *It works fine if i made FIPSMode="false"*
>
> *logs are attached *
>
> *please help me how to proceed on this.*
> *Thanks in advance.*
> Thanks,
> Nithesh
>
> On Fri, Dec 4, 2015 at 12:39 AM, Nithesh Kb <ni...@gmail.com> wrote:
>
>> HI Tomcat Experts,
>> I'm trying to enable fips mode in tomcat but i get these exception,
>>
>> *04-Dec-2015 00:00:34.787 INFO [main]
>> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
>> FIPS mode...*
>> *04-Dec-2015 00:00:34.791 SEVERE [main]
>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
>> initialize the SSLEngine.*
>> * java.lang.Exception: error:2D06C06E:FIPS
>> routines:FIPS_mode_set:fingerprint does not match*
>> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>>
>> *Steps that i have followed,*
>> *1. Built FIPS Capable Openssl*
>>
>>
>> Thanks,
>> Nithesh
>>
>
>

Re: Tomcat FIPS with FIPS capable OpenSSL

Posted by Nithesh Kb <ni...@gmail.com>.

*HI Tomcat Experts,*
*I'm trying to enable fips mode in tomcat but i get these exception,*

*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*

*Steps that i have followed,*
*1. Built FIPS Capable Openssl
[**https://www.openssl.org/docs/UserGuide-2.0.pdf
<https://www.openssl.org/docs/UserGuide-2.0.pdf>**]*
*2. Installed tomcat APR and APR util
[**http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling
<http://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling>*
*]*
*3. Installed TC-native *

*Changes made in server.xml*

<Listener className="org.apache.catalina.core.AprLifecycleListener"
 SSLEngine="on" FIPSMode="on" />


	<Connector
        port="8080"
        protocol="org.apache.coyote.http11.Http11AprProtocol"
        secure="false"
        SSLEnabled="false"
        scheme="http"
        URIEncoding="UTF-8"
        enableLookups="true"
        acceptCount="10"
        server="NA"/>

*and the exception for this,*
*   04-Dec-2015 00:00:34.725 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.*
*04-Dec-2015 00:00:34.725 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].*
*04-Dec-2015 00:00:34.787 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...*
*04-Dec-2015 00:00:34.791 SEVERE [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
initialize the SSLEngine.*
* java.lang.Exception: error:2D06C06E:FIPS
routines:FIPS_mode_set:fingerprint does not match*
* at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
* at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)*
* at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)*

*It works fine if i made FIPSMode="false"*

*logs are attached *

*please help me how to proceed on this.*
*Thanks in advance.*
Thanks,
Nithesh

On Fri, Dec 4, 2015 at 12:39 AM, Nithesh Kb <ni...@gmail.com> wrote:

> HI Tomcat Experts,
> I'm trying to enable fips mode in tomcat but i get these exception,
>
> *04-Dec-2015 00:00:34.787 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
> FIPS mode...*
> *04-Dec-2015 00:00:34.791 SEVERE [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to
> initialize the SSLEngine.*
> * java.lang.Exception: error:2D06C06E:FIPS
> routines:FIPS_mode_set:fingerprint does not match*
> * at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)*
>
> *Steps that i have followed,*
> *1. Built FIPS Capable Openssl*
>
>
> Thanks,
> Nithesh
>