You can configure Parasoft License Server to run in a FIPS-compliant environment. Instructions for configuring the self-deployed License Server are included below; if you are using License Server on a custom Tomcat server, it is assumed that you have already configured it to run in a FIPS-compliant environment.
You will need to configure a self-deployed License Server distribution after a new install or an upgrade; the FIPS-related configuration does not persist after an upgrade.
Prerequisites
You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:
- bc-fips-<VERSION>.jar (tested with version 1.0.2.5)
- bctls-fips-<VERSION>.jar (tested with version 1.0.19)
You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.
Configuring the Self-Deployed License Server Distribution
To configure the self-deployed License Server distribution to run in a FIPS-compliant environment:
- Extract the contents of the installation package to any location. The
<LS_INSTALL>/appdirectory includes the JRE, Tomcat, and scripts for starting and stopping the server. - Open the java.security file in the
<LS_INSTALL_DIR>/app/jre/conf/security/directory and do the following:- Comment out all existing properties named
security.provider.<number>. Insert the following lines:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Also insert (or, if these properties already exist in the file, modify) the following lines:
ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to
fipsand disable the compatibility mode for JKS and PKCS12 keystore types:keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
Allow only FIPS-approved algorithms:
org.bouncycastle.fips.approved_only=true
- Comment out all existing properties named
- Save your changes.
Open the java.policy file in the
<LS_INSTALL_DIR>/app/jre/conf/security/directory and insert the following permissions into the default domain:permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
- Save your changes.
Open the setVars.sh file in the
<LS_INSTALL_DIR>/app/directory and insert the BouncyCastle JAR files into the JAVA_OPTS environment variable:Remember to enter the <BC_DIR> as appropriate for your OS. For example, in Windows it might beexport JAVA_OPTS="$LSS_JAVA_OPTS --module-path=<BC_DIR> -Dsun.jnu.encoding=UTF-8 -Dfile.encoding=UTF-8 -Ddtp.datadir=\"$LSS_DATADIR\""
--module-path="c:\FIPS"- Save your changes.
Open the context.xml file in the
<LS_INSTALL_DIR>/app/tomcat/conf/and insert the following line:<Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
- Save your changes.
(Optional) If you do not have a key pair and self-signed server certificate generated with FIPS-approved algorithms using Bouncy Castle, you can create a new keystore file of type "BCFKS" to host your server certificates using the following command:
keytool -genkey -keyalg RSA -alias selfsigned -storetype BCFKS -keystore keystore.bcfks -storepass password -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
Be sure that you:
- Use the keytool command for JRE from
<LICENSE_SERVER>/app/jre/bin. - If you are on Windows, run keytool.exe from PowerShell. Don't use the Command Prompt (cmd).
Key Parameters:
providerpath <BC_DIR>/bc-fips-<VERSION>.jar: Path to the latest Bouncy Castle FIPS provider JAR file, which you downloaded in the previous steps. Replace
<BC_DIR>and<VERSION>with the actual values.providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider: The provider class from your latest JAR file.
storetype BCFKS: Defines the keystore type as Bouncy Castle FIPS Key Store.
keystore keystore.bcfks: The name of the keystore file to be generated.
alias selfsigned: Sets the alias for the certificate to "selfsigned". Choose an alias that suits your needs.
storepass password: Sets the password for the keystore to "password". Choose a password that suits your needs.
providername BCFIPS: Uses the Bouncy Castle FIPS provider.
- Use the keytool command for JRE from
To configure the License Server Tomcat to use your FIPS-compliant key pair and certificate, open the server.xml file in the
<LS_INSTALL_DIR>/app/tomcat/conf/directory and add the following attributes to the<Connector>element:certificateKeystoreProvider="BCFIPS"certificateKeystoreType="BCFKS"certificateKeystoreFile="conf/keystore.bcfks"(if necessary, change to the path to your FISP-compliant keystore)
For example:Note: be sure to replace<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>$ALIASand$PASSWORDwith your actual alias and password.
- Save your changes.
- Run the startLS script as an administrator to launch License Server. The application will run on the Tomcat server shipped in the installation package.
- Open a browser and go to one of the following URLs to access the License Server interface:
http://<HOST>:8080/licenseserverhttps://<HOST>:8443/licenseserver
- Log into License Server using the default username and password (admin/admin
). We recommend changing the default once you log in.
