tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nikitha Benny <nikki.be...@gmail.com>
Subject FIPS compliancy on Tomcat 7.00.062
Date Tue, 04 Aug 2015 08:30:35 GMT
Hello All,

We are working on Tomcat 7.00.062 with java 1.08.045.
We require to configure FIPS compliancy on the Tomcat.

We were successful in configuring FIPS compliancy on java 1.08.045.
A keystore file has already been created for Tomcat.

When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
runs fine on the http server, but fails to run on the https server port.

The java.security file is of JKS format.
We tried converting from JKS to PKCS12 format, which gave us the below
result:

[root]## *keytool -importkeystore -srckeystore tomcat.keystore
-destkeystore tomcatpkcs2.keystore*
Import command completed:  1 entries successfully imported, 0 entries
failed or cancelled

[root]## *keytool -v -list -storetype pkcs12 -keystore tomcatpkcs2.keystore*
keytool error: java.io.IOException: Error decoding PKCS 12 input.
java.io.IOException: Error decoding PKCS 12 input.
        at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at sun.security.tools.keytool.Main.doCommands(Main.java:792)
        at sun.security.tools.keytool.Main.run(Main.java:340)
        at sun.security.tools.keytool.Main.main(Main.java:333)

-------

Also we tried to create a new keystore file entirely of PKCS12 format,
which resulted as below:

[root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
-validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
<http://IWFVM01284.hpswlabs.adapps.hp.com>, OU=OpenView, O=Hewlett-Packard,
L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
-keystore tomcatmypkcs12.kestore -storetype pkcs12*

When we list the keystore file, it throws the below exception.
It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
compliant.

[root]## *keytool -v -list -storetype pkcs12 -keystore
tomcatmypkcs12.kestore*
Enter keystore password: (password given)
keytool error: java.lang.SecurityException: Algorithm not allowable in
FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
PBE/PKCS12*/SHA1*/RC2/CBC/40
        at com.rsa.cryptoj.o.cc.c(Unknown Source)
        at com.rsa.cryptoj.o.ci.c(Unknown Source)
        at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
        at com.rsa.cryptoj.o.dh.d(Unknown Source)
        at com.rsa.cryptoj.o.gf.<init>(Unknown Source)
        at com.rsa.cryptoj.o.gk.<init>(Unknown Source)
        at com.rsa.cryptoj.o.gp.<init>(Unknown Source)
        at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
        at com.rsa.cryptoj.o.kg.a(Unknown Source)
        at com.rsa.cryptoj.o.kg.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.b(Unknown Source)
        at com.rsa.cryptoj.o.lp.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.a(Unknown Source)
        at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at sun.security.tools.keytool.Main.doCommands(Main.java:889)
        at sun.security.tools.keytool.Main.run(Main.java:340)
        at sun.security.tools.keytool.Main.main(Main.java:333)

Is there a possibiltiy where it can pickup SHA256 ?

Regards,
Nikitha

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message