You can configure Parasoft License Server so that it is FIPS compliant. Instructions for configuring the self-deployed License Server are included below; if you are using License Server on a custom Tomcat server, it is assumed that you have already configured it to be FIPS compliant.

You will need to configure a self-deployed License Server distribution after a new install or an upgrade; the FIPS-compliant configuration does not persist after an upgrade.

Prerequisites

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/fips-java/:

  • bc-fips-<VERSION>.jar (tested with version 1.0.2.4)
  • bctls-fips-<VERSION>.jar (tested with version 1.0.17)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring the Self-Deployed License Server Distribution

To configure the self-deployed License Server distribution to be FIPS compliant:

  1. Extract the contents of the installation package to any location. The <LS_INSTALL>/app directory includes the JRE, Tomcat, and scripts for starting and stopping the server.
  2. Open the java.security file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and do the following:
    1. Comment out all existing properties named security.provider.<number>.

    2. Insert the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

    3. Also insert (or, if these properties already exist in the file, modify) the following lines:

      ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

    4. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types:

      keystore.type=fips
keystore.type.compat=false

    5. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

    6. Allow only FIPS-approved algorithms:

      org.bouncycastle.fips.approved_only=true
  3. Save your changes.

  4. Open the java.policy file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and insert the following permissions into the default domain:

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
  5. Save your changes.

  6. Open the setVars.sh file in the <LS_INSTALL_DIR>/app/ directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:

    export JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
  7. Save your changes.

  8. Open the context.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ and insert the following line:

    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  9. Save your changes.

  10. Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

  11. Open the server.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"

    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
          <Certificate certificateKeystoreProvider="BCFIPS"
                       certificateKeystoreType="BCFKS"
                       certificateKeystoreFile="conf/keystore.bcfks"
                       certificateKeyAlias="$ALIAS"
                       certificateKeystorePassword="$PASSWORD"
                       type="RSA" />
         </SSLHostConfig>
   </Connector>
  12. Save your changes.
  13. Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
  14. Open a browser and go to one of the following URLs to access the License Server interface:
    • http://<HOST>:8080/licenseserver 
    • https://<HOST>:8443/licenseserver 
  15. Log into License Server using the default username and password (admin/admin). We recommend changing the default once you log in.
  • No labels

Need assistance? Visit our support page