You can configure Parasoft License Server so that runs in a FIPS-compliant environment. Instructions for configuring the self-deployed License Server are included below; if you are using License Server on a custom Tomcat server, it is assumed that you have already configured it to run in a FIPS-compliant environment.

You will need to configure a self-deployed License Server distribution after a new install or an upgrade; the FIPS-related configuration does not persist after an upgrade. 

Prerequisites

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:

• bc-fips-<VERSION>.jar (tested with version 2.0.0)
• bctls-fips-<VERSION>.jar (tested with version 2.0.20)
• bcutil-fips-<VERSION>.jar (tested with 2.0.3)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring the Self-Deployed License Server Distribution

To configure the self-deployed License Server distribution to run in a FIPS-compliant environment:

1. Extract the contents of the installation package to any location. The <LS_INSTALL_DIR>/app directory includes the JRE, Tomcat, and scripts for starting and stopping the server.
2. Open the java.security file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and do the following:
   1. Comment out all existing properties named security.provider.<number>.

   2. Insert the following lines:
      

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN

   3. Also insert (or, if these properties already exist in the file, modify) the following lines:
      

      ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX

   4. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types:
      

      keystore.type=fips keystore.type.compat=false

   5. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:
      

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

   6. Allow only FIPS-approved algorithms:
      

      org.bouncycastle.fips.approved_only=true

3. Save your changes.

4. Open the java.policy file in the <LS_INSTALL_DIR>/app/jre/conf/security/ directory and insert the following permissions into the default domain:
   

   permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

5. Save your changes.

6. Open the setVars.sh file in the <LS_INSTALL_DIR>/app/ directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:
   

   export JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""

   Remember to enter the <BC_DIR> as appropriate for your OS. For example, in Windows it might be --module-path="c:\FIPS"
7. Save your changes.

8. Open the context.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ and insert the following line:
   

   <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />

9. Save your changes.

10. (Optional) If you do not have a key pair and self-signed server certificate generated with FIPS-approved algorithms using Bouncy Castle, you can create a new keystore file of type "BCFKS" to host your server certificates using the following command:

    keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

    Be sure that you: Use the keytool command for JRE from <LICENSE_SERVER>/app/jre/bin. If you are on Windows, run keytool.exe from PowerShell. Don't use the Command Prompt (cmd).

    
    

    • Key Parameters:

      • providerpath <BC_DIR>/bc-fips-<VERSION>.jar: Path to the latest Bouncy Castle FIPS provider JAR file, which you downloaded in the previous steps. Replace <BC_DIR> and <VERSION> with the actual values.

      • providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider: The provider class from your latest JAR file.

      • storetype BCFKS: Defines the keystore type as Bouncy Castle FIPS Key Store.

      • keystore keystore.bcfks: The name of the keystore file to be generated.

      • alias selfsigned: Sets the alias for the certificate to "selfsigned". Choose an alias that suits your needs.

      • storepass password: Sets the password for the keystore to "password". Choose a password that suits your needs.

      • providername BCFIPS: Uses the Bouncy Castle FIPS provider.

11. To configure the License Server Tomcat to use your FIPS-compliant key pair and certificate, open the server.xml file in the <LS_INSTALL_DIR>/app/tomcat/conf/ directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"

    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks" (if necessary, change to the path to your FISP-compliant keystore)
      For example:
      

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>

      Note: be sure to replace $ALIAS and $PASSWORD with your actual alias and password.
12. Save your changes.
13. Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
14. Open a browser and go to one of the following URLs to access the License Server interface:
    • http://<HOST>:8080/licenseserver 
    • https://<HOST>:8443/licenseserver 
15. Log into License Server using the default username and password (admin/admin). We recommend changing the default once you log in.