如何 运行 完全符合 FIPS Spring 启动应用程序
How to run a fully FIPS compliant Spring Boot application
我必须满足以下条件:
FIPS 模式下 - Tomcat 运行s
- JDK 使用 FIPS ssl 提供程序
预计会使申请 "run in FIPS mode"。这个假设正确吗?
我认为 Tomcat is configured using an APR Lifecycle Listener, with APR requiring certain native components to be installed. After these components are available, one can enable APR with this (considering )。正确吗?
Note to self: Not everybody thinks of APR to be a good idea.
现在 FIPS SSL 提供程序 seems to be related to SunJSSE, and it seems there are JAR files providing functionality for this。这个对吗?这些 JAR 是否也足以 Tomcat,尽管不是原生的?
这些问题很多,我知道。但基本上是如何运行 完全 FIPS 兼容Spring 启动应用程序?
第 1 部分:"Tomcat runs in FIPS mode",在 Ubuntu
前言 #1:可以找到一些通用的(但不完整的)说明 here。
前言 #2:以下内容需要具有 FIPS 140-2 认证模块的 OpenSSL。 Ubuntu 这些仅适用于 Ubuntu 16.04 的 "Ubuntu Advantage Advanced customers"!参见 here and here。
$ sudo apt install libapr1 libapr1-dev
(来自 here, might be sudo apt install libapr1-dev libssl-dev though, see here)- 从here下载tomcat-native-1.2.23-src,解压,转到
tomcat-native-1.2.23-src/native/
$ ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/path/to/java-home/ --with-ssl=yes$ make- 将
-Djava.library.path=/path/to/tomcat-native-1.2.23-src/native/.libs 添加到 jvm args
- 将以下内容添加到您的项目中
import org.apache.catalina.core.AprLifecycleListener;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class AprConfig {
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
@Override
public Ssl getSsl() {
// avoid "IllegalStateException: To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass":
return null;
}
};
// enable APR:
factory.setProtocol("org.apache.coyote.http11.Http11AprProtocol");
AprLifecycleListener aprLifecycleListener = new AprLifecycleListener();
// will throw "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS." with default OpenSSL:
aprLifecycleListener.setFIPSMode("on");
factory.addContextLifecycleListeners(aprLifecycleListener);
return factory;
}
}
第 2 部分:"JDK uses FIPS ssl Provider"
Java 使用 JCE "to use stronger versions of standard algorithms"。这需要根据 JDK 的策略文件安装到 8u161、7u171 和 6u16; "on those versions and later the policy files are included, but not enabled by default",而 "JDK 9 and later ship with, and use by default, the unlimited policy files".
JCE 是一个由某些"provider" 实现的接口(例如JDBC 是一个必须实现的接口)。虽然甚至有 Oracle 的实现,但符合 FIPS 的供应商并不多(参见 this list). And I found only one to claim Java 11 compatibility, which is the "Bouncy Castle Crypto API" in version 1.0.2 - currently "available for early access", see Java FIPS Roadmap. So Java version is to be considered here as well (see)。
结论
运行 完全符合 FIPS Spring 启动应用程序需要
- 一些配置(见上文)
- 具有 FIPS 兼容库的 OS 支持您的 Java 版本
我必须满足以下条件:
-
FIPS 模式下
- Tomcat 运行s
- JDK 使用 FIPS ssl 提供程序
预计会使申请 "run in FIPS mode"。这个假设正确吗?
我认为 Tomcat is configured using an APR Lifecycle Listener, with APR requiring certain native components to be installed. After these components are available, one can enable APR with this (considering
Note to self: Not everybody thinks of APR to be a good idea.
现在 FIPS SSL 提供程序 seems to be related to SunJSSE, and it seems there are JAR files providing functionality for this。这个对吗?这些 JAR 是否也足以 Tomcat,尽管不是原生的?
这些问题很多,我知道。但基本上是如何运行 完全 FIPS 兼容Spring 启动应用程序?
第 1 部分:"Tomcat runs in FIPS mode",在 Ubuntu
前言 #1:可以找到一些通用的(但不完整的)说明 here。
前言 #2:以下内容需要具有 FIPS 140-2 认证模块的 OpenSSL。 Ubuntu 这些仅适用于 Ubuntu 16.04 的 "Ubuntu Advantage Advanced customers"!参见 here and here。
$ sudo apt install libapr1 libapr1-dev(来自 here, might besudo apt install libapr1-dev libssl-devthough, see here)- 从here下载tomcat-native-1.2.23-src,解压,转到
tomcat-native-1.2.23-src/native/ $ ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/path/to/java-home/ --with-ssl=yes$ make- 将
-Djava.library.path=/path/to/tomcat-native-1.2.23-src/native/.libs添加到 jvm args - 将以下内容添加到您的项目中
import org.apache.catalina.core.AprLifecycleListener;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class AprConfig {
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
@Override
public Ssl getSsl() {
// avoid "IllegalStateException: To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass":
return null;
}
};
// enable APR:
factory.setProtocol("org.apache.coyote.http11.Http11AprProtocol");
AprLifecycleListener aprLifecycleListener = new AprLifecycleListener();
// will throw "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS." with default OpenSSL:
aprLifecycleListener.setFIPSMode("on");
factory.addContextLifecycleListeners(aprLifecycleListener);
return factory;
}
}
第 2 部分:"JDK uses FIPS ssl Provider"
Java 使用 JCE "to use stronger versions of standard algorithms"。这需要根据 JDK 的策略文件安装到 8u161、7u171 和 6u16; "on those versions and later the policy files are included, but not enabled by default",而 "JDK 9 and later ship with, and use by default, the unlimited policy files".
JCE 是一个由某些"provider" 实现的接口(例如JDBC 是一个必须实现的接口)。虽然甚至有 Oracle 的实现,但符合 FIPS 的供应商并不多(参见 this list). And I found only one to claim Java 11 compatibility, which is the "Bouncy Castle Crypto API" in version 1.0.2 - currently "available for early access", see Java FIPS Roadmap. So Java version is to be considered here as well (see)。
结论
运行 完全符合 FIPS Spring 启动应用程序需要
- 一些配置(见上文)
- 具有 FIPS 兼容库的 OS 支持您的 Java 版本