Configuring FIPS-140 Mode For a tc Runtime Instance

You can configure a tc Runtime instance to run with a FIPS-140 compliant Java Secure Socket Extension (JSSE) provider, as described in this section.

Important: Completing these procedures do not result in a tc Runtime instance that is FIPS-140 compliant, only that the instance is using a FIPS-140 compliant JSSE provider.

FIPS-140 refers to the Federal Information Processing Standardization 140, which is a standard that specifies security requirements for cryptographic modules used by the U.S. Government. FIPS 140-2 accreditation (the most current level) is required for any cryptography product sold by a private sector company to the U.S. Government.

The instructions differ depending on whether you want to configure a BIO or NIO Connector or APR Connector for your tc Runtime instance.

Configuring FIPS-140 Mode for BIO and NIO Connectors

To configure FIPS-140 mode for tc Runtime instances that use the BIO or NIO Connectors, you must first install a Java Cryptography Extension (JCE) API provider, such as RSA BSAFE® Crypto-J. This section uses the RSA JCE provider only as an example; you can use any compliant provider you want.

Procedure

  1. Install the JCE API implementation, such as RSA BSAFE Crypto-J, on the same computer on which you have installed vFabric tc Server. Follow the installation instructions of the JCE provider.

    In this procedure, it is assumed you installed RSA BSAFE Crypto-J in the $CRYPTOJ_HOME directory.

  2. From the computer on which you installed vFabric tc Server, open a terminal window as the user who will create and run tc Runtime instances (such as tcserver).

  3. Statically register the Cyrpto-J JCE provider by copying the $CRYPTOJ_HOME/cryptoj/lib/cryptojFIPS.jar JAR file to the $JAVA_HOME/jre/lib/ext directory. For example:

    prompt$ cp $CRYPTOJ_HOME/cryptoj/lib/cryptojFIPS.jar $JAVA_HOME/jre/lib/ext
  4. Edit the $JAVA_HOME/lib/security/java.security file as follows:

    • Configure the Crypto-J JCE provider to be the default provider by adding the following line:

      security.provider.1=com.rsa.jsafe.provider.JsafeJCE

      If other security providers are already configured with this property, change their identifying numbers so that they are unique, as shown in the following example:

      security.provider.1=com.rsa.jsafe.provider.JsafeJCE
      security.provider.2=sun.security.provider.Sun
    • Add the following properties as required specifically by the Crypto-J JCE provider:

      com.rsa.cryptoj.fips140initialmode=FIPS140_MODE
      com.rsa.cryptoj.kat.strategy=on.load
  5. If you are using the evaluation mode of the RSA BSAFE Crypto-J module, install the RSA evaluation license as shown:

    prompt$ cp $CRYPTOJ_HOME/cryptoj/lib/rsamisc.jar $JAVA_HOME/jre/lib/ext
  6. Create an SSL-enabled tc Runtime instance that uses either the BIO or NIO Connector by specifying either the bio-ssl or nio-ssl template when running the tcrutnime-instance.sh script. For example, if you installed tc Server in /opt/vmware/vfabric-tc-server-standard and your instances are located in /var/opt/vmware/vfabric-tc-server-standard:

    prompt$ cd /opt/vmware/vfabric-tc-server-standard
    prompt$ ./tcruntime-instance.sh create ssl-instance -t bio-ssl -i /var/opt/vmware/vfabric-tc-server-standard
  7. Start the instance:

    prompt$ ./tcruntime-ctl.sh -n /var/opt/vmware/vfabric-tc-server-standard ssl-instance start
  8. Check the logs/catalina-date.log file to ensure that the instance started correctly; you should see messages similar to the following:

    26-Jan-2012 10:11:14.477 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-bio-8443"]
    26-Jan-2012 10:11:15.603 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-bio-8443"]

Configuring FIPS-140 Mode for an APR Connector

You can use the Apache Tomcat native libraries provided by vFabric Web Server to configure FIPS-140 mode for a tc Runtime instance that uses the APR lifecycle listener.

In the procedure, you will download and unzip the vFabric Web Server distribution, but you do not actually create or start Web Server instances; rather, you unzip the Web Server distribution only to gain access to some of its native components. This in turn means you will not consume any vFabric Web Server licenses.

Important: Currently, only version 5.0.2+ of vFabric Web Server includes the required native components; version 5.1.0 does not include them. Check the vFabric Web Server Release Notes to see if later 5.1.X maintenance releases include the required native components. If they do not, you must download and unzip version 5.0.2+ of vFabric Web Server.

Prerequisites

Download and unzip vFabric Web Server on the same computer where vFabric tc Server is installed:

  1. Open a terminal window and create the directory in which you will unzip the vFabric Web Server distribution. For example:

    prompt$ mkdir /var/opt/vmware
  2. Download the appropriate vFabric Web Server self-extracting ZIP from the VMware Download Web site and place it in the directory you created.

    Be sure to choose the correct operating system and chip architecture.

  3. From your terminal window, change to the directory in which you downloaded the ZIP file:

    prompt$ cd /var/opt/vmware
  4. If necessary, change the permissions of the downloaded ZIP file to make it executable. For example, on Unix:

    prompt$ chmod 755 vfabric-web-server-version-x86_64-linux-glibc2.zip.sfx
  5. Self-extract the files from the downloaded ZIP by using the file name as a command. For example:

    prompt$ ./vfabric-web-server-version-x86_64-linux-glibc2.zip.sfx

    When it completes, the vFabric Web Server files are located in the vfabric-web-server subdirectory.

    For clarity, this directory (/var/opt/vmware/vfabric-web-server) is referred to as $VFWS_HOME in the remainder of the procedure.

Procedure

  1. From the computer on which you installed vFabric tc Server, open a terminal window as the user who will create and run tc Runtime instances (such as tcserver).

  2. Create a tc Runtime instance that uses the apr-ssl template. For example, if you installed tc Server in /opt/vmware/vfabric-tc-server-standard and your instances are located in /var/opt/vmware/vfabric-tc-server-standard:

    prompt$ cd /opt/vmware/vfabric-tc-server-standard
    prompt$ ./tcruntime-instance.sh create apr-ssl-instance -t apr-ssl -i /var/opt/vmware/vfabric-tc-server-standard
  3. Edit the bin/setenv.sh file in the instance directory and add the following two lines:

    LD_LIBRARY_PATH="$VFWS_HOME/httpd-2.2/lib/"
    export LD_LIBRARY_PATH

    In the preceding sample, $VFWS_HOME refers to the directory in which you installed vFabric Web Server, such as /var/opt/vmware/vfabric-web-server. The tc Runtime instance directory in our example is /var/opt/vmware/vfabric-tc-server-standard/apr-ssl-instance.

  4. Edit the conf/server.xml configuration file in the tc Runtime instance directory and add the FIPSMode="on" attribute to the AprLifecycleListener <Listener /> element, as shown:

    <Listener SSLEngine="on"
              FIPSMode="on"
              className="org.apache.catalina.core.AprLifecycleListener"/>
  5. Start the instance:

    prompt$ ./tcruntime-ctl.sh -n /var/opt/vmware/vfabric-tc-server-standard apr-ssl-instance start
  6. Check the logs/catalina-date.log file to ensure that the instance started correctly; you should see messages similar to the following:

    15-Feb-2012 16:04:34.973 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.22.
    15-Feb-2012 16:04:34.973 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
    15-Feb-2012 16:04:35.002 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
    15-Feb-2012 16:04:35.223 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode
    15-Feb-2012 16:04:35.243 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8443"]