How can I verify that my Tomcat application server is FIPS 140-2 compliant correctly?
I built openssl-fips, openssl and tc-native ( Tomcat Native Library ) and pointed Tomcat in the native library. I can see that APR is running in the logs:
13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.3.9.
13-Nov-2014 14:01:32.197 INFO [main] org.apache.catalina.core.AprLifecycleListener.init APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Nov-2014 14:01:32.431 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1j 15 Oct 2014)
13-Nov-2014 14:01:32.712 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-443"]
I can get to the site with https://localhost/
and the certificate looks correct. Firefox looks the same when I look at the site's security information and compare the pre-FIPS and post-FIPS setting:
Questions:
- How can I verify that communication between browser and server is in fact FIPS 140-2 compliant?
- Is there a way to force only FIPS communication on the server?
source to share
It may not be obvious, but it is not a parameter <Connector>
, but instead an APR parameter that is configured APRLifecycleListener
in CATALINA_BASE/conf/server.xml
.
You can read the documentation for APRLifecycleListener and see that there is a parameter FIPSMode
that allows you to control the use of FIPS mode, I think you want FIPSMode="on"
.
This will make Tomcat (really OpenSSL) work in FIPS compliance. The client has no influence on this and therefore must conform to the server behavior (FIPS compliant).
source to share