You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Robert Hicks <ro...@gmail.com> on 2021/05/24 14:28:26 UTC

Re: Tomcat 9 and FIP-140 mode

Follow on question as we are in the weeds on this now.

OpenSSL is in FIPS mode. The JDK is in FIPS mode. I think Tomcat is as the
Listener has SSLEngine="on" and FIPSMODE="on" but I am still getting the
following errors:

failed to set property [FIPSMODE] to [on]

In reading around, does the connector for the Http11AprProtocol need to be
configured as well? It is currently commented out but the section on
"configure the server.xml" here leads me to believe it needs to be:

https://stackoverflow.com/questions/34022646/how-to-make-tomcat-fips-mode-enabling

--
Bob


On Mon, Aug 24, 2020 at 2:49 PM Robert Hicks <ro...@gmail.com> wrote:

>
>
> On Mon, Aug 24, 2020 at 12:48 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Robert,
>>
>> On 8/24/20 11:04, Robert Hicks wrote:
>> > Maybe it's just better to straight up ask. I've found a couple of
>> > Google searches but nothing for Tomcat 9 and the information seems
>> > sporadic, incomplete, or contradictory.
>> >
>> > How do you enable FIPS-140 for Tomcat 9 (using JDK 8)?
>>
>> The Sun/Oracle-provided crypto providers should already be FIPS-140
>> certified, as long as you use them in the proper configuration.
>>
>> There is nothing Tomcat-specific about enabling FIPS for the SunJCE
>> provider because it needs to be done at the JRE-level.
>>
>> This document is WebLogic-centric, but it shows how to enable FIPS-140
>> mode for the whole JVM and therefore isn't WebLogic-specific, either:
>>
>> https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm
>>
>> Tomcat includes code for ensuring that OpenSSL is in FIPS-mode when
>> that module is in use, but we don't do anything about the built-in
>> providers. Given the information in that document above, it looks like
>> it's possible to trigger a test to determine whether FIPS is indeed
>> active; perhaps Tomcat could initiate such a test as a sanity-check if
>> FIPS-mode is "required" (through some as-yet-determined configuration
>> option).
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9D71kACgkQHPApP6U8
>> pFhcyQ//e5GXmD6jxAJYAlqfnDyrHVWQQO7TrFQxfHiJ/pvbqrFjvB230rchyRLm
>> DuWQ0C7dRMdiCLGvie3Q4KcBTkFrivlP4pckqfIihP0aETeZITFkGaWUu269ZoVD
>> ZScWxVHwLtfEf0/NR8a8g9ttjcntO7dm44BeqtOJQVST2/ti8EMZGizjx+YJREOE
>> L10CdPrUNTvoCd8s/UzThEnCBes96GjZAUid9cum1xQuyw8k3nzCNuJizNW6cE7c
>> 7BQlnXqCBqyRYloa2vJIMQ4jsNzuMsqHFQKG9UXI4ocszn/YAdSs5Zg/PFsXwwmj
>> RxSVzYJ3JUW7kg20+PNjGQ9GQFTYXtgXGManxZiOAWoiy3UR+152tiz08tfBYxBV
>> SeALsJpOKKe3+loZgUhTURsgh8qj1UC8FrfUOAr8cLmMR+HZqMvhBUcgJrv2LKi1
>> pdLarO2c/zg2O6QUwoE03qgtkKJ5ifPNOTl5hWrPFy4AQMzX+cCX2v4SkpyzV0Ty
>> gXJSJ+5b0pVwCwrf6KMi3UvJZhT+gHNttJJE/vXIZaGlft+aWvXrd3qpYcy8IND8
>> JSstrM573yCNbguYHMiT8Aa6P8jfY4enyMEkgcX/gm0LnOekCrzUl8hq5XQ/y1eo
>> g+g7pI7Dyln3FyRiUmKOp9gjND9QtFe/awvAemSvr9WRprr766k=
>> =N6LM
>> -----END PGP SIGNATURE-----
>>
>
> Thanks Chris!
>
> Bob
>