Howto: IBMJCEFIPS and Tomcat?
July 7, 2011 11:11 AM Subscribe
How to setup Tomcat with the IBMJCEFIPS provider?
I have spent the last several days googling every every keyword and error message to no avail. I have an instance of tomcat6 installed on a SLES10/S390x machine, and with default security policies and providers, things are OK.
When I try to get tomcat into FIPS mode, by revising the list of providers, I just get a bunch of Unknown Source errors:
java.lang.NullPointerException
at com.ibm.crypto.fips.provider.SelfTest.p(Unknown Source)
at com.ibm.crypto.fips.provider.SelfTest.runSelfTest(Unknown Source)
at com.ibm.crypto.fips.provider.SelfTest.(Unknown Source)
at com.ibm.crypto.fips.provider.IBMJCEFIPS.(Unknown Source)
I tried editing the CLASSPATH set in catalina.sh, no effect.
Any suggestions?
I have spent the last several days googling every every keyword and error message to no avail. I have an instance of tomcat6 installed on a SLES10/S390x machine, and with default security policies and providers, things are OK.
When I try to get tomcat into FIPS mode, by revising the list of providers, I just get a bunch of Unknown Source errors:
java.lang.NullPointerException
at com.ibm.crypto.fips.provider.SelfTest.p(Unknown Source)
at com.ibm.crypto.fips.provider.SelfTest.runSelfTest(Unknown Source)
at com.ibm.crypto.fips.provider.SelfTest.
at com.ibm.crypto.fips.provider.IBMJCEFIPS.
I tried editing the CLASSPATH set in catalina.sh, no effect.
Any suggestions?
Response by poster: While I will eventually be setting up a server application, right now I'm just trying to get the server to come up in FIPS mode without any apps installed.
posted by nomisxid at 11:21 AM on July 7, 2011
posted by nomisxid at 11:21 AM on July 7, 2011
Have you provisioned a server identity certificate? If not, I think you'll need to. The steps involved are generating a keypair (you can use Java's keytool utility: 'keytool -genkeypair [options]'and building a keystore (again you can use the keytool utility).
Also, in case you haven't, I think you need to set JAVA_OPTS to enable your desired providers and then run catalina.sh. And then you need to edit $TOMCAT_6/conf/server.xml to enable ssl/https.
posted by Paquda at 11:26 AM on July 7, 2011
Also, in case you haven't, I think you need to set JAVA_OPTS to enable your desired providers and then run catalina.sh. And then you need to edit $TOMCAT_6/conf/server.xml to enable ssl/https.
posted by Paquda at 11:26 AM on July 7, 2011
Response by poster: The jks has been generated using FIPS valid values, server.xml is configured for SSL, and SSL works if I don't have the JCE provider specified.
Not clear what you mean on the JAVA_OPTS, are you talking about something in addition to setting the providers list in java.security?
posted by nomisxid at 11:34 AM on July 7, 2011
Not clear what you mean on the JAVA_OPTS, are you talking about something in addition to setting the providers list in java.security?
posted by nomisxid at 11:34 AM on July 7, 2011
Response by poster: I mean, SSL works if I don't have the JCEFIPS provider specified.
posted by nomisxid at 11:37 AM on July 7, 2011
posted by nomisxid at 11:37 AM on July 7, 2011
This thread is closed to new comments.
posted by Paquda at 11:18 AM on July 7, 2011