i have added this in server.xml to enable tomcat FIPSMode
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" FIPSMode="on" />
But after that logs are throwing,
Dec 01, 2015 3:28:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
when i check the tomcat 7 docs for FIPSMode
it is asking us to create OpenSSL library
FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well.
So, now the question is how to create OpenSSL library for tomcat FIPS ? and how to integrate it with tomcat ?
please share the steps or documentation to achieve this
Please check this new exception #1
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: Initializing FIPS mode...
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:333)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
openssl version
OpenSSL 1.0.1p-fips 9 Jul 2015
Please check the new exception#2
03-Dec-2015 22:46:24.577 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.0.29
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Nov 20 2015 09:18:00 UTC
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.0.29.0
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 2.6.32-131.0.15.el6.x86_64
03-Dec-2015 22:46:24.584 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /java/jdk1.7.0_80/jre
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.7.0_80-b15
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/tomcat/apache-tomcat-8.0.29/conf/logging.properties
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/tomcat/apache-tomcat-8.0.29/endorsed
03-Dec-2015 22:46:24.589 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tomcat/apache-tomcat-8.0.29/temp
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
03-Dec-2015 22:46:24.591 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
03-Dec-2015 22:46:24.657 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
03-Dec-2015 22:46:24.691 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
Finaly Worked!!
04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
04-Dec-2015 00:45:30.561 INFO [main] **org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
04-Dec-2015 00:45:30.576 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode**
04-Dec-2015 00:45:30.577 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-2015 00:45:30.935 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8080"]
04-Dec-2015 00:45:30.973 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-apr-8009"]
04-Dec-2015 00:45:30.976 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2308 ms
You need to configure Tomcat to work with APR connectors, here the steps (did it on CentOS 6):
Install gcc
yum install gcc
Install latest APR
wget http://apache.spd.co.il//apr/apr-1.5.1.tar.gz
tar -zxvf apr-1.5.1.tar.gz
cd apr-1.5.1/
./configure
make
make install
Install latest APR-util
wget http://apache.spd.co.il/apr/apr-util-1.5.3.tar.gz
tar -zxvf apr-util-1.5.3.tar.gz
cd apr-util-1.5.3
./configure --with-apr=/usr/local/apr
make
make install
Configure OpenSSL
Check installed version by executing:
openssl version
Example output: OpenSSL 1.0.1h-fips 5 Jun 2014
Note the installed version compiled in FIPS mode, google for manuals to do so. Copy the corresponding source version files from OpenSSL site to your machine /var/tmp/openssl-1.0.1h
JDK
In order to build tomcat's JNI wrapper, ensure that JDK is available (copy it to the machine, note that the JDK version must be the same as installed JRE).
Install JNI Wrapper for APR used by Tomcat (libtcnative)
cd $CATALINA_HOME/bin
tar -zxvf tomcat-native.tar.gz
cd tomcat-native/jni/native
./configure --with-apr=/usr/local/apr --with-java-home=$JDK_HOME --prefix=/usr --with-ssl=/var/tmp/openssl-1.0.1h/build/lnx/devel/x86_64
make
make install
Configure your CA
Edit the copied openssl.cnf file with setting the dir property under the CA_default section.
#!/bin/bash
#Configuring your CA
mkdir -p /var/tmp/myCA/certs
mkdir /var/tmp/myCA/csr
mkdir /var/tmp/myCA/newcerts
mkdir /var/tmp/myCA/private
cp /etc/pki/tls/openssl.cnf /var/tmp/myCA/.
cd /var/tmp/myCA
echo 00 > serial
echo 00 > crlnumber
touch index.txt
# Create CA private key
openssl genrsa -aes128 -passout pass:qwerty -out private/rootCA.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key
# Create CA self-signed certificate
openssl req -config openssl.cnf -new -x509 -subj '/C=IL/L=Tel-Aviv/CN=www.imperva.com' -days 365 -key private/rootCA.key -out certs/rootCA.crt
# Create a SSL Server certificate
# Create private key for the mx server
openssl genrsa -aes128 -passout pass:qwerty -out private/mx.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/mx.key -out private/mx.key
# Create CSR (Certificate Signing Request) for the MX server
openssl req -config openssl.cnf -new -subj '/C=IL/L=Tel-Aviv/CN=mx' -key private/mx.key -out csr/mx.csr
# Create certificate for the MX server
openssl ca -batch -config openssl.cnf -days 365 -in csr/mx.csr -out certs/mx.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Configure Tomcat
Edit server.xml to use Http11AprProtocol protocol:
<Connector
interface="management"
port="8080"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="false"
SSLEnabled="false"
scheme="http"
URIEncoding="UTF-8"
minProcessors="5"
maxProcessors="150"
enableLookups="true"
acceptCount="10"
allowChunking="true"
server="NA"/>