如何启用 tomcat FIPS 模式

How to make tomcat FIPS Mode enabling

我在 server.xml 中添加了这个以启用 tomcat FIPSMode

 <Listener className="org.apache.catalina.core.AprLifecycleListener"
 SSLEngine="on" FIPSMode="on" />

但是在那之后日志开始抛出,

Dec 01, 2015 3:28:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
    at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)

当我查看 tomcat 7 docs for FIPSMode

它要求我们创建 OpenSSL 库

FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well.

那么,现在的问题是如何为 tomcat FIPS 创建 OpenSSL 库?以及如何将其与 tomcat 集成?

请分享实现此目的的步骤或文档

请检查这个新异常#1

Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: Initializing FIPS mode...
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
    at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
    at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:333)
    at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
    at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

java.lang.Error: Failed to enter FIPS mode
    at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

openssl 版本

OpenSSL 1.0.1p-fips 9 Jul 2015

请检查新异常#2

03-Dec-2015 22:46:24.577 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/8.0.29
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Nov 20 2015 09:18:00 UTC
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         8.0.29.0
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            2.6.32-131.0.15.el6.x86_64
03-Dec-2015 22:46:24.584 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /java/jdk1.7.0_80/jre
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.7.0_80-b15
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/tomcat/apache-tomcat-8.0.29/conf/logging.properties
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/tomcat/apache-tomcat-8.0.29/endorsed
03-Dec-2015 22:46:24.589 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tomcat/apache-tomcat-8.0.29/temp
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
03-Dec-2015 22:46:24.591 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
03-Dec-2015 22:46:24.657 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
03-Dec-2015 22:46:24.691 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
 java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
    at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
    at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)
    at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)

终于成功了!!

04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
04-Dec-2015 00:45:30.561 INFO [main] **org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
04-Dec-2015 00:45:30.576 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode**
04-Dec-2015 00:45:30.577 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-2015 00:45:30.935 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8080"]
04-Dec-2015 00:45:30.973 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-apr-8009"]
04-Dec-2015 00:45:30.976 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2308 ms

您需要配置 Tomcat 以使用 APR 连接器,步骤如下(在 CentOS 6 上完成):

安装gcc

yum install gcc 

安装最新的 APR

wget http://apache.spd.co.il//apr/apr-1.5.1.tar.gz
tar -zxvf apr-1.5.1.tar.gz
cd apr-1.5.1/
./configure
make
make install

安装最新的 APR-util

wget http://apache.spd.co.il/apr/apr-util-1.5.3.tar.gz
tar -zxvf apr-util-1.5.3.tar.gz
cd apr-util-1.5.3
./configure --with-apr=/usr/local/apr
make
make install

配置 OpenSSL

通过执行检查安装的版本:

openssl version

示例输出:OpenSSL 1.0.1h-fips 2014 年 6 月 5 日

注意在 FIPS 模式下编译的安装版本,google 用于手册。 将相应的源版本文件从 OpenSSL 站点复制到您的计算机 /var/tmp/openssl-1.0.1h

JDK

为了构建tomcat的JNI wrapper,确保JDK可用(复制到机器上,注意JDK版本必须和安装的一样JRE).

为 Tomcat (libtcnative) 使用的 APR 安装 JNI 包装器

cd $CATALINA_HOME/bin
tar -zxvf tomcat-native.tar.gz
cd tomcat-native/jni/native
./configure --with-apr=/usr/local/apr --with-java-home=$JDK_HOME --prefix=/usr --with-ssl=/var/tmp/openssl-1.0.1h/build/lnx/devel/x86_64
make
make install

配置您的 CA

编辑复制的 openssl.cnf 文件,在 CA_default 部分下设置目录 属性。

#!/bin/bash

#Configuring your CA
mkdir -p /var/tmp/myCA/certs
mkdir /var/tmp/myCA/csr
mkdir /var/tmp/myCA/newcerts
mkdir /var/tmp/myCA/private
cp /etc/pki/tls/openssl.cnf /var/tmp/myCA/.
cd /var/tmp/myCA
echo 00 > serial
echo 00 > crlnumber
touch index.txt

# Create CA private key
openssl genrsa -aes128 -passout pass:qwerty -out  private/rootCA.key 2048

# Remove passphrase
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key

# Create CA self-signed certificate
openssl req -config openssl.cnf -new -x509 -subj '/C=IL/L=Tel-Aviv/CN=www.imperva.com' -days 365 -key private/rootCA.key -out certs/rootCA.crt

# Create a SSL Server certificate
# Create private key for the mx server
openssl genrsa -aes128 -passout pass:qwerty -out private/mx.key 2048

# Remove passphrase
openssl rsa -passin pass:qwerty -in private/mx.key -out private/mx.key

# Create CSR (Certificate Signing Request) for the MX server
openssl req -config openssl.cnf -new -subj '/C=IL/L=Tel-Aviv/CN=mx' -key private/mx.key -out csr/mx.csr

# Create certificate for the MX server
openssl ca -batch -config openssl.cnf -days 365 -in csr/mx.csr -out certs/mx.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything

配置Tomcat

编辑 server.xml 以使用 Http11AprProtocol 协议:

<Connector
        interface="management"
        port="8080"
        protocol="org.apache.coyote.http11.Http11AprProtocol"
        secure="false"
        SSLEnabled="false"
        scheme="http"
        URIEncoding="UTF-8"
        minProcessors="5"
        maxProcessors="150"
        enableLookups="true"
        acceptCount="10"
        allowChunking="true"
        server="NA"/>