Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Chieko Sugizaki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space LSDEV and version 2024.1

...

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/fipsdownload/bouncy-castle-java-fips/:

  • bc-fips-<VERSION>.jar (tested with version 1.0.2.45)
  • bctls-fips-<VERSION>.jar (tested with version 1.0.1719)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

...

  1. Extract the contents of the installation package to any location. The <LS_INSTALL>/app directory includes the JRE, Tomcat, and scripts for starting and stopping the server.
  2. Open the java.security file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and do the following:
    1. Comment out all existing properties named security.provider.<number>.

    2. Insert the following lines:

      Code Block
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

    3. Also insert (or, if these properties already exist in the file, modify) the following lines:

      Code Block
      ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

    4. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types:

      Code Block
      keystore.type=fips
keystore.type.compat=false

    5. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      Code Block
      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

    6. Allow only FIPS-approved algorithms:

      Code Block
      org.bouncycastle.fips.approved_only=true
  3. Save your changes.

  4. Open the java.policy file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and insert the following permissions into the default domain:

    Code Block
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabledtlsAlgorithmsEnabled";
  5. Save your changes.

  6. Open the setVars.sh file in the <LS_INSTALL_DIR>/app/ directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:

    Code Block
    export JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
    Remember to enter the <BC_DIR> as appropriate for your OS. For example, in Windows it might be --module-path="c:\FIPS"
  7. Save your changes.

  8. Open the context.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ and insert the following line:

    Code Block
    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  9. Save your changes.

  10. Create (Optional) If you do not already have a server certificate for Bouncy Castle, create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      Code Block
      keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

  11. Open the server.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"

    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

      Code Block
      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
          <Certificate certificateKeystoreProvider="BCFIPS"
                       certificateKeystoreType="BCFKS"
                       certificateKeystoreFile="conf/keystore.bcfks"
                       certificateKeyAlias="$ALIAS"
                       certificateKeystorePassword="$PASSWORD"
                       type="RSA" />
         </SSLHostConfig>
   </Connector>
      Note: be sure to replace $ALIAS and $PASSWORD with your actual alias and password.
  12. Save your changes.
  13. Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
  14. Open a browser and go to one of the following URLs to access the License Server interface:
    • http://<HOST>:8080/licenseserver 
    • https://<HOST>:8443/licenseserver 
  15. Log into License Server using the default username and password (admin/admin). We recommend changing the default once you log in.