You can configure SOAtest so that it is FIPS compliant. This documentation shows how to configure the SOAtest WAR deployment for FIPS compliance using the Bouncy Castle FIPS libraries. FIPS compliance can be configured using other methods, but testing was done using Bouncy Castle FIPS libraries. FIPS mode is only supported for the WAR deployment.
In this section:
You should have already completed the instructions found on the Installing the Server page.
You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:
You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.
Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance.
-Dorg.bouncycastle.fips.approved_only=true |
Open the java.security file in the <JAVA_HOME>/conf/security directory and make the following changes:
Set the list of security providers by commenting out all existing properties named security.provider.<number> and fips.provider.<number>, then inserting the following lines:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN |
Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.
ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX |
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
keystore.type=fips keystore.type.compat=false |
(Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:
securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN |
Open the java.policy file in the <JAVA_HOME>/conf/security directory and insert the following permissions into the default domain:
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled"; |
Open the logging.properties file in the <JAVA_HOME>/conf directory and insert the following Bouncy Castle logger configuration:
org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE |
Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:
Example keytool command:
keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar |
<TOMCAT_HOME>/conf.Open the server.xml file in the <TOMCAT_HOME>/conf directory and add the following attributes to the <Connector> element:
certificateKeystoreType="BCFKS"
certificateKeystoreFile="conf/keystore.bcfks"
For example:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig>
<Certificate certificateKeystoreProvider="BCFIPS"
certificateKeystoreType="BCFKS"
certificateKeystoreFile="conf/keystore.bcfks"
certificateKeyAlias="$ALIAS"
certificateKeystorePassword="$PASSWORD"
type="RSA" />
</SSLHostConfig>
</Connector> |
Open the context.xml file in the <TOMCAT_HOME>/conf and insert the following line:
<Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" /> |
Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:
--module-path=<BC_DIR> |