tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: FIPS compliancy on Tomcat 7.00.062
Date Tue, 04 Aug 2015 09:07:08 GMT
On 04/08/2015 09:30, Nikitha Benny wrote:
> Hello All,
> 
> We are working on Tomcat 7.00.062 with java 1.08.045.
> We require to configure FIPS compliancy on the Tomcat.
> 
> We were successful in configuring FIPS compliancy on java 1.08.045.
> A keystore file has already been created for Tomcat.
> 
> When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
> runs fine on the http server, but fails to run on the https server port.
> 
> The java.security file is of JKS format.
> We tried converting from JKS to PKCS12 format, which gave us the below
> result:
> 
> [root]## *keytool -importkeystore -srckeystore tomcat.keystore
> -destkeystore tomcatpkcs2.keystore*
> Import command completed:  1 entries successfully imported, 0 entries
> failed or cancelled
> 
> [root]## *keytool -v -list -storetype pkcs12 -keystore tomcatpkcs2.keystore*
> keytool error: java.io.IOException: Error decoding PKCS 12 input.
> java.io.IOException: Error decoding PKCS 12 input.
>         at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
>         at java.security.KeyStore.load(KeyStore.java:1445)
>         at sun.security.tools.keytool.Main.doCommands(Main.java:792)
>         at sun.security.tools.keytool.Main.run(Main.java:340)
>         at sun.security.tools.keytool.Main.main(Main.java:333)
> 
> -------
> 
> Also we tried to create a new keystore file entirely of PKCS12 format,
> which resulted as below:
> 
> [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
> -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
> <http://IWFVM01284.hpswlabs.adapps.hp.com>, OU=OpenView, O=Hewlett-Packard,
> L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
> -keystore tomcatmypkcs12.kestore -storetype pkcs12*
> 
> When we list the keystore file, it throws the below exception.
> It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
> compliant.

That looks like you are using an old version of keytool. The default
signature algorithm for an RSA key should be SHA256withRSA for Java 8.

Try explicitly specifying "-sigalg SHA256withRSA" when you generate the
key with keytool.

Mark


> 
> [root]## *keytool -v -list -storetype pkcs12 -keystore
> tomcatmypkcs12.kestore*
> Enter keystore password: (password given)
> keytool error: java.lang.SecurityException: Algorithm not allowable in
> FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
> java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
> PBE/PKCS12*/SHA1*/RC2/CBC/40
>         at com.rsa.cryptoj.o.cc.c(Unknown Source)
>         at com.rsa.cryptoj.o.ci.c(Unknown Source)
>         at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
>         at com.rsa.cryptoj.o.dh.d(Unknown Source)
>         at com.rsa.cryptoj.o.gf.<init>(Unknown Source)
>         at com.rsa.cryptoj.o.gk.<init>(Unknown Source)
>         at com.rsa.cryptoj.o.gp.<init>(Unknown Source)
>         at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
>         at com.rsa.cryptoj.o.kg.a(Unknown Source)
>         at com.rsa.cryptoj.o.kg.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.b(Unknown Source)
>         at com.rsa.cryptoj.o.lp.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.a(Unknown Source)
>         at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
>         at java.security.KeyStore.load(KeyStore.java:1445)
>         at sun.security.tools.keytool.Main.doCommands(Main.java:889)
>         at sun.security.tools.keytool.Main.run(Main.java:340)
>         at sun.security.tools.keytool.Main.main(Main.java:333)
> 
> Is there a possibiltiy where it can pickup SHA256 ?
> 
> Regards,
> Nikitha
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message