• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

FIPS compliant Tomcat using JSSE

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
I want to make tomcat FIPS compliant. For that I have made the changes in java.security file as follows:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSSFIPS
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=sun.security.pkcs11.SunPKCS11 /home/nss/nss.cfg
After these changes I have resatrted the tomcat. But I get the exception as follows :
May 27, 2010 11:47:40 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_20/jre/lib/i386/client:/usr/java/jdk1.6.0_20/jre/lib/i386:/usr/java/jdk1.6.0_20/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
May 27, 2010 11:47:40 AM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: Could not initialize NSS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:465)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:47:40 AM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.IOException: Could not initialize NSS
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:47:40 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 728 ms
May 27, 2010 11:47:40 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
May 27, 2010 11:47:40 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat
May 27, 2010 11:47:41 AM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.sun.faces.config.ConfigureListener" is already configured for this context. The duplicate definition has been ignored.
May 27, 2010 11:47:41 AM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.icesoft.faces.util.event.servlet.ContextEventRepeater" is already configured for this context. The duplicate definition has been ignored.
May 27, 2010 11:47:42 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
May 27, 2010 11:47:42 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [] startup failed due to previous errors
May 27, 2010 11:47:43 AM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.sun.faces.config.ConfigureListener" is already configured for this context. The duplicate definition has been ignored.
May 27, 2010 11:47:43 AM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.icesoft.faces.util.event.servlet.ContextEventRepeater" is already configured for this context. The duplicate definition has been ignored.
May 27, 2010 11:47:43 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
May 27, 2010 11:47:43 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/salgateway] startup failed due to previous errors
May 27, 2010 11:47:43 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
May 27, 2010 11:47:43 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
May 27, 2010 11:47:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory docs
May 27, 2010 11:47:43 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory examples
May 27, 2010 11:47:43 AM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: Crypto provider not installed: SunPKCS11-NSSFIPS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:465)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1087)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
May 27, 2010 11:47:43 AM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Crypto provider not installed: SunPKCS11-NSSFIPS
at org.apache.catalina.connector.Connector.start(Connector.java:1094)
at org.apache.catalina.core.StandardService.start(StandardService.java:534)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

All the above things, I have tried on Tomcat 6.0.20 and JDK 1.6

When I have tried out all the above things with tomcat 6.0.26 then I got the different exception:
May 27, 2010 11:51:18 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_20/jre/lib/i386/client:/usr/java/jdk1.6.0_20/jre/lib/i386:/usr/java/jdk1.6.0_20/jre/../lib/i386:/home/nss/libs/:/usr/java/packages/lib/i386:/lib:/usr/lib
May 27, 2010 11:51:18 AM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.IOException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSFIPS
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:465)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:51:18 AM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.IOException: FIPS mode: KeyStore must be from provider SunPKCS11-NSSFIPS
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:51:18 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 638 ms
May 27, 2010 11:51:18 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
May 27, 2010 11:51:18 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.26
...

When I removed Kestore from server.xml file of tomcat then I got the following exceptions :
May 27, 2010 11:59:25 AM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_20/jre/lib/i386/client:/usr/java/jdk1.6.0_20/jre/lib/i386:/usr/java/jdk1.6.0_20/jre/../lib/i386:/home/nss/libs/:/usr/java/packages/lib/i386:/lib:/usr/lib
May 27, 2010 11:59:26 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type JKS with path /root/.keystore due to /root/.keystore (No such file or directory)
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:347)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:269)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:482)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:419)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:59:26 AM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:347)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:269)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:482)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:419)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1014)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:59:26 AM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed: java.io.FileNotFoundException: /root/.keystore (No such file or directory)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:680)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at org.apache.catalina.startup.Catalina.load(Catalina.java:548)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
May 27, 2010 11:59:26 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3432 ms
May 27, 2010 11:59:26 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
May 27, 2010 11:59:26 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.26
May 27, 2010 11:59:27 AM org.apache.catalina.core.StandardContext resourcesStart

NSS is installed by default on syatem. And in nss.cfg file looks like :
name = NSSFIPS
nssLibraryDirectory = /usr/lib
nssSecmodDirectory = /home/nss/dbs
nssModule = fips
attributes = compatibility

I am not getting what is going wrong? Can some one help me out with this issue?
Thanks in advance.

Vinu




 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The Java crypto framework is plugin-based. Some encryption schemes are built-in, but apparently not the FIPS one you want. You'll need to install it.
reply
    Bookmark Topic Watch Topic
  • New Topic