https://bz.apache.org/bugzilla/show_bug.cgi?id=65806
Bug ID: 65806
Summary: When running in FIPS mode on openjdk-17,
SessionIdGeneratorBase.java thows SEVERE log messages
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Unless one changes default configuration, starting catalina in a fips-enabled
machine with jdk-17 print 2 SEVERE errors in catalina.out per context
initialized.
The messages are generated in SessionIdGeneratorBase.java, and are caused by
the fact that SHA1PRNG is missing in jdk-17.
The messages are confusing, but harmless. The class will use the default
SecureRandom (PKCS11) when SHA1PRNG is not found.
Workaround:
* For webapps that don't define a '<Context><Manager>', one can add '<Manager
secureRandomAlgorithm=""/>' to conf/context.xml. This works for ROOT and
examples in a default install
* For webapps that define a '<Context><Manager>', set
'secureRandomAlgorithm=""' in META-INF/context.xml This works for manager and
host-manager in a default install.
The log spam could be managed by checking on initialization of the class if the
initial value works, and special-casing it from SHA1PRNG to "" (maybe printing
a warning) in case it doesn't.
Also, I think the messages should be scaled down from SEVERE to INFO when the
secureRandomAlgorithm value is SHA1PRNG, FIPS is enabled and the java version
is jdk-17.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
