You can configure SOAtest so that it is FIPS compliant. This documentation shows how to configure the SOAtest WAR deployment for FIPS compliance using the Bouncy Castle FIPS libraries. FIPS compliance can be configured using other methods, but testing was done using Bouncy Castle FIPS libraries. FIPS mode is only supported for the WAR deployment.

In this section:

Prerequisites

You should have already completed the instructions found on the Installing the Server page.

You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:

  • bc-fips-<VERSION>.jar
  • bctls-fips-<VERSION>.jar

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring FIPS Mode

  1. Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance.

    -Dorg.bouncycastle.fips.approved_only=true
  2. Open the java.security file in the <JAVA_HOME>/conf/security directory and make the following changes: 

    1. Set the list of security providers by commenting out all existing properties named security.provider.<number> and fips.provider.<number>, then inserting the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
      security.provider.3=SUN
    2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      ssl.KeyManagerFactory.algorithm=PKIX
      ssl.TrustManagerFactory.algorithm=PKIX
    3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      keystore.type=fips
      keystore.type.compat=false
    4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
  3. Save your changes.
  4. Open the java.policy file in the <JAVA_HOME>/conf/security directory and insert the following permissions into the default domain:

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
  5. Save your changes.
  6. Open the logging.properties file in the <JAVA_HOME>/conf directory and insert the following Bouncy Castle logger configuration:

    org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE
    org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
  7. Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
  8. Copy the keystore.bcfks file to <TOMCAT_HOME>/conf.
  9. Open the server.xml file in the <TOMCAT_HOME>/conf directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"
    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

          <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                     maxThreads="150" SSLEnabled="true"
                     maxParameterCount="1000"
                     >
              <SSLHostConfig>
                <Certificate certificateKeystoreProvider="BCFIPS"
                             certificateKeystoreType="BCFKS"
                             certificateKeystoreFile="conf/keystore.bcfks"
                             certificateKeyAlias="$ALIAS"
                             certificateKeystorePassword="$PASSWORD"
                             type="RSA" />
               </SSLHostConfig>
          </Connector>
  10. Open the context.xml file in the <TOMCAT_HOME>/conf and insert the following line:

    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  11. Save your changes.
  12. Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:

    --module-path=<BC_DIR>
  • No labels