[Novalug] Tomcat/SSL/FIPS140-2 questions

Rob Sanders rarob@travelinglightfarm.net
Thu Jan 9 18:46:54 EST 2014


Evening everyone,
  I've banged my head on this all day yesterday and today and am crying uncle.  Can anyone confirm that Tomcat (6 or 7) can or can not do SSL on a RHEL box configured to be in FIPS-140 mode?
  Here in brief is what I've done (with the latest version of both Tomcat 6 and 7):

  Stock RHEL6.3 or RHEL6.4 install - (SELinux permissive to avoid glitches there)
  yum install Java 7 devel environment 
  Bring base OS into FIPS140 mode by installing dracut-fips, disabling prelink (and undoing any prelinking), rebuild initrd using dracut -f, tweak /boot/grub/grub.conf with 'fips=1 boot=<bootpartition>"
  Reboot
  Verify /proc/sys/crypto/fips_enabled returns 1 
  yum install apr-devel and openssl-devel
  Download latest Tomcat release, untar
  set JAVA_HOME and TOMCAT_HOME vars, prepend JAVA_HOME/bin  to path
  drop into create tomcat directory, then the bin directory, untar tomcat-native.tgz
  drop into created tomcat-native directory, then into jni/native
  ./configure --with-apr=`which apr-1-config` --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$TOMCAT_HOME
  make && make install
  cd up one level to the 'jni' directory
  ant && ant jar && ant run-ssl-server

The 'ant run-ssl-server' command fails trying with a 'org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform' error.  

I'm pretty sure that the SSL provided by RedHat has the FIPS-140 parts enabled, as a straight 'c' code calling FIPS_selftest() seems to work just fine.

So either I did something wrong somewhere, or I've misunderstood about how to use tomcat with SSL/FIPS.  
I'm reasonably sure the tomcat native *build* is correct, in that if I repeat all the above steps *without* fips=1 on the grub line all works fine.

My use case is a web app running behind tomcat that must run on a system in FIPS-140 mode.  My normal app uses JSSE connectors in tomcat, but by default these connectors don't have a large enough Diffie-Hellman bit lengths.

Can anyone tell me where I'm going wrong?  

-Rob




More information about the Novalug mailing list