...
| Table of Contents | ||
|---|---|---|
|
Prerequisites
You should have already completed the instructions found on the Installing Virtualize Server page.
You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:
...
Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance.
Code Block -Dorg.bouncycastle.fips.approved_only=true
Open the java.security file in the
<JAVA_HOME>/conf/securitydirectory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>andfips.provider.<number>, then inserting the following lines:Code Block security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the
javax.net.sslpackage to PKIX.Code Block ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
Code Block keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:Code Block securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
- Save your changes.
Open the java.policy file in the
<JAVA_HOME>/conf/securitydirectory and insert the following permissions into the default domain:Code Block permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<JAVA_HOME>/confdirectory and insert the following Bouncy Castle logger configuration:Code Block org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:
- -storetype BCFKS
- -providerName BCFIPS
- -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
- -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
Example keytool command:
Code Block keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
- Copy the keystore.bcfks file to
<TOMCAT_HOME>/conf. Open the server.xml file in the
<INSTALL<TOMCAT_DIR>/appHOME>/tomcat/conf/directory directory and add the following attributes to the<Connector>element:- certificateKeystoreProvider="BCFIPS"
certificateKeystoreType="BCFKS"
certificateKeystoreFile="conf/keystore.bcfks"
For example:Code Block <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" > <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>
Open the context.xml file in the
<TOMCAT_HOME>/confand insert the following line:Code Block <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
- Save your changes.
Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:
Save your changes.Code Block --module-path=<BC_DIR>