You can configure Parasoft License Server so that it is FIPS compliant. Instructions for configuring the self-deployed License Server are included below; if you are using License Server on a custom Tomcat server, it is assumed that you have already configured it to be FIPS compliant.

You will need to configure a self-deployed License Server distribution after a new install or an upgrade; the FIPS-compliant configuration does not persist after an upgrade.

Prerequisites

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:

  • bc-fips-<VERSION>.jar (tested with version 1.0.2.5)
  • bctls-fips-<VERSION>.jar (tested with version 1.0.19)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring the Self-Deployed License Server Distribution

To configure the self-deployed License Server distribution to be FIPS compliant:

  1. Extract the contents of the installation package to any location. The <LS_INSTALL>/app directory includes the JRE, Tomcat, and scripts for starting and stopping the server.
  2. Open the java.security file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and do the following:
    1. Comment out all existing properties named security.provider.<number>.

    2. Insert the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

    3. Also insert (or, if these properties already exist in the file, modify) the following lines:

      ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

    4. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types:

      keystore.type=fips
keystore.type.compat=false

    5. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

    6. Allow only FIPS-approved algorithms:

      org.bouncycastle.fips.approved_only=true
  3. Save your changes.

  4. Open the java.policy file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and insert the following permissions into the default domain:

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
  5. Save your changes.

  6. Open the setVars.sh file in the <LS_INSTALL_DIR>/app/ directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:

    export JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
    Remember to enter the <BC_DIR> as appropriate for your OS. For example, in Windows it might be --module-path="c:\FIPS"
  7. Save your changes.

  8. Open the context.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ and insert the following line:

    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  9. Save your changes.

  10. (Optional) If you do not already have a server certificate for Bouncy Castle, create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

  11. Open the server.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"

    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
          <Certificate certificateKeystoreProvider="BCFIPS"
                       certificateKeystoreType="BCFKS"
                       certificateKeystoreFile="conf/keystore.bcfks"
                       certificateKeyAlias="$ALIAS"
                       certificateKeystorePassword="$PASSWORD"
                       type="RSA" />
         </SSLHostConfig>
   </Connector>
      Note: be sure to replace $ALIAS and $PASSWORD with your actual alias and password.
  12. Save your changes.
  13. Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
  14. Open a browser and go to one of the following URLs to access the License Server interface:
    • http://<HOST>:8080/licenseserver 
    • https://<HOST>:8443/licenseserver 
  15. Log into License Server using the default username and password (admin/admin). We recommend changing the default once you log in.
  • No labels

Need assistance? Visit our support page