...
- Extract the contents of the installation package to any location. The
<LS_INSTALL>/appdirectory includes the JRE, Tomcat, and scripts for starting and stopping the server. - Open the java.security file in the
<LS_INSTALL_DIR>/app/jre/conf/security/directory and do the following:- Comment out all existing properties named
security.provider.<number>. Insert the following lines:
Code Block security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Also insert (or, if these properties already exist in the file, modify) the following lines:
Code Block ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to
fipsand disable the compatibility mode for JKS and PKCS12 keystore types:Code Block keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:Code Block securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
Allow only FIPS-approved algorithms:
Code Block org.bouncycastle.fips.approved_only=true
- Comment out all existing properties named
- Save your changes.
Open the java.policy file in the
<LS_INSTALL_DIR>/app/jre/conf/security/directory and insert the following permissions into the default domain:Code Block permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabledtlsAlgorithmsEnabled";
- Save your changes.
Open the setVars.sh file in the
<LS_INSTALL_DIR>/app/directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:Code Block export JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
- Save your changes.
Open the context.xml file in the
<LS_INSTALL_DIR>/app/tomcat/conf/and insert the following line:Code Block <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
- Save your changes.
Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:
-storetype BCFKS-providerName BCFIPS-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider-providerpath <BC_DIR>/bc-fips-<VERSION>.jarExample keytool command:
Code Block keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
Open the server.xml file in the
<LS_INSTALL_DIR>/app/tomcat/conf/directory and add the following attributes to the<Connector>element:certificateKeystoreProvider="BCFIPS"certificateKeystoreType="BCFKS"certificateKeystoreFile="conf/keystore.bcfks"
For example:Code Block <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>
- Save your changes.
- Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
- Open a browser and go to one of the following URLs to access the License Server interface:
http://<HOST>:8080/licenseserverhttps://<HOST>:8443/licenseserver
- Log into License Server using the default username and password (admin/admin
). We recommend changing the default once you log in.