Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

[Rupesh P]

Hi Christopher Schultz,
I am sorry for the inconvenience caused.

Actually i am not able to enable the FIPS Mode in Tomcat 9 for windows. It
gives an error "Failed to enter fips mode".

Software Specifications:
> Tomcat version - 9.0.34
> Openssl version - 3.0.2
> OS - Windows Server 2019 64-bit

I tried building the Tomcat Native native library with APR(1.7.0) ,
Openssl(3.0.2) and Tomcat Native library (1.2.32).

The openssl 3.0.2 along with the FIPS got built successfully.

Since FIPS Object Module Package is already integrated with the openssl
3.0, There is no separate package for it. So I have built the Tomcat Native
library and it got built successfully. But when i tried to put the
1. *tcnative-1.dll* in the *Bin folder of Tomcat 9\*
*2. Adding the FIPSMODE="on" for the APR listener*
*3. Added the **HTTPS connector to use Native (OpenSSL) implementation of
SSL/TLS protocol.*
*4. Restarted the Tomcat and checked the catalina.log*

*The Fips mode is not getting enabled, shows the log error "*Failed to
enter fips mode*" and along with that it also states "** FIPS was not
available to tcnative at build time".*

*T*he same steps i have performed for the Openssl version 1.0.2 along with
the FIPS Object Module Package, There Tomcat was able to initialize FIPS
mode and Tomcat started with the FIPS mode.

Is there any way to overcome this issue?
Please do let me know any solution for this issue.

Thanks,
Rupesh.



On Tue, May 17, 2022 at 10:02 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Rupesh,
>
> Sorry for top-posting, but all of your screenshots were stripped-out of
> your original post. Can you please provide text-only information for the
> mailing list?
>
> Thanks,
> -chris
>
> On 5/17/22 05:07, Rupesh P wrote:
> > Good Evening,
> > I have a issue while enabling the FIPS mode in Tomcat9 for windows where
> > it throws me an error "Failed to enter fips mode". Below are the detail
> > explanation and content. Sorry for the length but I am trying to provide
> > all of the relevant details in hopes that the solution to this issue
> > will be easily identifiable.
> >
> > *Method 1:*
> >
> > Software Specifications:
> > Tomcat version - 9.0.34
> > Openssl version - 3.0.2
> > OS - Windows Server 2019 64-bit
> >
> > I have installed the openssl version (3.0.2) along with the FIPS Module
> > installation as per the steps mentioned in the wiki
> > (
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> > <
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> >).
> >
> > The openssl 3.0.2 and fips module got installed successfully.
> >
> > openssl version.PNG
> >
> >
> > Post installation of Openssl,  I tried enabling the FIPS mode in
> > tomcat9, For that I have performed:
> >
> >  1. Added the FIPSMODE="on" for APR listener in the server.xml of
> Tomcat9.
> >  2. Restarted the Tomcat server.
> >  3. But FIPS Mode was not enabled.
> >
> > Fipsmode server xml.PNG
> >
> > fips error1.PNG
> >
> > *Method 2:*
> > *
> > *
> >   I researched on the web and found a few links and references for
> > enabling the FIPS mode in tomcat, but that is for the older version of
> > openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS
> > Object Module 2.0.16 as external package and building it with tcnative
> > library.
> >
> > The steps are:
> >
> > Building the OpenSSL
> > Building APR
> > Building Tomcat native library.
> > Adding the FIPSMode="on" for the APR listener.
> > The link of the reference:
> >
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> > <
> https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/
> >
> >
> > I followed the same steps and tried building the tomcat native library
> > except omitting the FIPS Object module build setup, since in our case
> > FIPS FOM is integrated with openssl 3.0 .
> >
> > The versions of the modules i used:
> >
> > OPENSSL 3.0.2
> > APR version 1.7.0
> > Tomcat Native library 1.2.32
> > I have successfully built the tomcat native library and tried putting it
> > in the bin folder and restarted the tomcat service. But there i get an
> > another error message stating "FIPS was not available to tcnative at
> > build time".*
> > *
> > fips error.PNG
> >
> > There was a switch or parameter which is being passed to build tcnative
> > along with FIPS, When i tried building the tcnative with that parameter,
> > i get an error.
> > native error.PNG
> >
> > The command that i used for building tcnative is:
> > nmake -f NMAKEMakefile BUILD_CPU=x64
> >
> WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
>
> >
> WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
>
> > APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1
> >
> > Without the WITH_FIPS=1 

Re: Per context heap usage

[Mark Thomas]

On 17/05/2022 17:34, Christopher Schultz wrote:

Mark,

On 5/17/22 08:17, Mark Thomas wrote:

On 17/05/2022 10:41, Thomas Meyer wrote:

Hi,

Is it possible to find out the per deployed context heap usage in 
tomcat?


With a profiler you can look at the retained size of the web 
application class loader instance associated with a web application.


I don't think this will tell you the volume of objects which belong to 
those classes, though.


If I read a big String into my application, it won't be counted towards 
the retained size of the web application classloader -- or will it? I 
don't understand how that String object could count towards the 
classloader's memory footprint.


It should do. The profiler traces obejct references and they should all 
lead back to the web application class loader.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Per context heap usage

[Christopher Schultz]

Mark,

On 5/17/22 08:17, Mark Thomas wrote:

On 17/05/2022 10:41, Thomas Meyer wrote:

Hi,

Is it possible to find out the per deployed context heap usage in tomcat?


With a profiler you can look at the retained size of the web application 
class loader instance associated with a web application.


I don't think this will tell you the volume of objects which belong to 
those classes, though.


If I read a big String into my application, it won't be counted towards 
the retained size of the web application classloader -- or will it? I 
don't understand how that String object could count towards the 
classloader's memory footprint.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

[Christopher Schultz]

Rupesh,

Sorry for top-posting, but all of your screenshots were stripped-out of 
your original post. Can you please provide text-only information for the 
mailing list?


Thanks,
-chris

On 5/17/22 05:07, Rupesh P wrote:

Good Evening,
I have a issue while enabling the FIPS mode in Tomcat9 for windows where 
it throws me an error "Failed to enter fips mode". Below are the detail 
explanation and content. Sorry for the length but I am trying to provide 
all of the relevant details in hopes that the solution to this issue 
will be easily identifiable.


*Method 1:*

Software Specifications:
Tomcat version - 9.0.34
Openssl version - 3.0.2
OS - Windows Server 2019 64-bit

I have installed the openssl version (3.0.2) along with the FIPS Module 
installation as per the steps mentioned in the wiki 
(https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 
).


The openssl 3.0.2 and fips module got installed successfully.

openssl version.PNG


Post installation of Openssl,  I tried enabling the FIPS mode in 
tomcat9, For that I have performed:


 1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9.
 2. Restarted the Tomcat server.
 3. But FIPS Mode was not enabled.

Fipsmode server xml.PNG

fips error1.PNG

*Method 2:*
*
*
  I researched on the web and found a few links and references for 
enabling the FIPS mode in tomcat, but that is for the older version of 
openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS 
Object Module 2.0.16 as external package and building it with tcnative 
library.


The steps are:

Building the OpenSSL
Building APR
Building Tomcat native library.
Adding the FIPSMode="on" for the APR listener.
The link of the reference: 
https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/ 



I followed the same steps and tried building the tomcat native library 
except omitting the FIPS Object module build setup, since in our case 
FIPS FOM is integrated with openssl 3.0 .


The versions of the modules i used:

OPENSSL 3.0.2
APR version 1.7.0
Tomcat Native library 1.2.32
I have successfully built the tomcat native library and tried putting it 
in the bin folder and restarted the tomcat service. But there i get an 
another error message stating "FIPS was not available to tcnative at 
build time".*

*
fips error.PNG

There was a switch or parameter which is being passed to build tcnative 
along with FIPS, When i tried building the tcnative with that parameter, 
i get an error.

native error.PNG

The command that i used for building tcnative is:
nmake -f NMAKEMakefile BUILD_CPU=x64 
WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0" 
WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2" 
APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1


Without the WITH_FIPS=1 parameter the tcnative is getting built 
successfully.


So these are the findings i have made. Is there any way to overcome this 
issue?
Please do let me know if there are any other option or ways to resolve 
this error(To enable FIPS mode in Tomcat9).



Thanks,

Rupesh P.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Per context heap usage

[Mark Thomas]

On 17/05/2022 10:41, Thomas Meyer wrote:

Hi,

Is it possible to find out the per deployed context heap usage in tomcat?


With a profiler you can look at the retained size of the web application 
class loader instance associated with a web application.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Per context heap usage

[Thomas Meyer]

Hi,

Is it possible to find out the per deployed context heap usage in tomcat?

Mfg
Thomas

FIPS Mode is not getting enabled in Tomcat9 using Openssl 3.0.2 post successful FIPS module installation in windows

[Rupesh P]

Good Evening,
I have a issue while enabling the FIPS mode in Tomcat9 for windows where it
throws me an error "Failed to enter fips mode". Below are the detail
explanation and content. Sorry for the length but I am trying to provide
all of the relevant details in hopes that the solution to this issue will
be easily identifiable.

*Method 1:*

Software Specifications:
Tomcat version - 9.0.34
Openssl version - 3.0.2
OS - Windows Server 2019 64-bit

I have installed the openssl version (3.0.2) along with the FIPS Module
installation as per the steps mentioned in the wiki (
https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
).

The openssl 3.0.2 and fips module got installed successfully.
[image: openssl version.PNG]


Post installation of Openssl,  I tried enabling the FIPS mode in tomcat9,
For that I have performed:


   1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9.
   2. Restarted the Tomcat server.
   3. But FIPS Mode was not enabled.

[image: Fipsmode server xml.PNG]

[image: fips error1.PNG]

*Method 2:*

 I researched on the web and found a few links and references for enabling
the FIPS mode in tomcat, but that is for the older version of openssl(i.e
1.0.2l), where they are also downloading the OpenSSL FIPS Object Module
2.0.16 as external package and building it with tcnative library.

The steps are:

Building the OpenSSL
Building APR
Building Tomcat native library.
Adding the FIPSMode="on" for the APR listener.
The link of the reference:
https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/

I followed the same steps and tried building the tomcat native library
except omitting the FIPS Object module build setup, since in our case FIPS
FOM is integrated with openssl 3.0 .

The versions of the modules i used:

OPENSSL 3.0.2
APR version 1.7.0
Tomcat Native library 1.2.32
I have successfully built the tomcat native library and tried putting it in
the bin folder and restarted the tomcat service. But there i get an another
error message stating "FIPS was not available to tcnative at build time".
[image: fips error.PNG]

There was a switch or parameter which is being passed to build tcnative
along with FIPS, When i tried building the tcnative with that parameter, i
get an error.
[image: native error.PNG]

The command that i used for building tcnative is:
nmake -f NMAKEMakefile BUILD_CPU=x64
WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0"
WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2"
APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1

Without the WITH_FIPS=1 parameter the tcnative is getting built
successfully.

So these are the findings i have made. Is there any way to overcome this
issue?
Please do let me know if there are any other option or ways to resolve this
error(To enable FIPS mode in Tomcat9).


Thanks,

Rupesh P.

Re: AW: embeded tomcat apache-jasper dependency

[Mark Thomas]

On 17/05/2022 08:13, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello,


-Ursprüngliche Nachricht-
Von: Rob Sargent 
Gesendet: Dienstag, 17. Mai 2022 00:38
An: users@tomcat.apache.org
Betreff: embeded tomcat apache-jasper dependency

I'm seeing a new-to-me deployment failure and am at a loss to explain.


Using tomcat 9-0-63 (and getting

 Caused by: java.lang.IllegalArgumentException: More than one
 fragment with the name [org_apache_jasper_el] was found. This is not
 legal with relative ordering. See section 8.2.2 2c of the Servlet
 specification for details. Consider using absolute ordering.
      at

org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebX
ml.java:2262)
      at

org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebX
ml.java:2220)


My dependency manager (gradle) finds mention of jasper as an explicit
dependency

   \--- project :webapp
    +--- project :transport (*)
    +--- com.fasterxml.jackson.core:jackson-databind:2.11.4 (*)
    +--- com.fasterxml.jackson.core:jackson-core:2.11.4
    +--- com.fasterxml.jackson.core:jackson-annotations:2.11.4
    +---
 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.4 (*)
    +--- javax.servlet:javax.servlet-api:3.1.0
    +--- javax.servlet.jsp:javax.servlet.jsp-api:2.3.3
    +--- org.apache.tomcat.embed:tomcat-embed-core:9.0.+ ->
 9.0.63
    |    \--- org.apache.tomcat:tomcat-annotations-api:9.0.63
    +--- org.apache.tomcat.embed:tomcat-embed-jasper:9.0.+ ->
 9.0.63
    |    +---
 org.apache.tomcat.embed:tomcat-embed-core:9.0.63 (*)
    |    +--- org.apache.tomcat.embed:tomcat-embed-el:9.0.63
    |    \--- org.eclipse.jdt:ecj:3.18.0
    +---
 org.apache.tomcat.embed:tomcat-embed-logging-juli:9.0.0.M6
    +--- org.apache.tomcat:tomcat-jdbc:9.0.+ -> 9.0.63
    |    \--- org.apache.tomcat:tomcat-juli:9.0.63
    +--- org.apache.tomcat:tomcat-dbcp:9.0.+ -> 9.0.63
    |    \--- org.apache.tomcat:tomcat-juli:9.0.63
    +--- org.apache.tomcat:tomcat-juli:9.0.+ -> 9.0.63
    \--- org.slf4j:slf4j-api:1.7.7 -> 1.7.32

I see no evidence of even a single instance of the string
"org_apache_jasper_el" (not even just "jasper") in any xml file in the
deployment directory.

Even if I remove the jasper dependency (I'm not using JSF) and rebuild
(distTar) the project I get the same complaint (more than one jasper
fragment).



Any pointers appreciated.
rjs


This message probably refers to web-fragments.
They are usually located at: /META-INF/web-fragment.xml

Within this XML there can be an ordering element  an a name element 
.

Maybe you can inspect the jars for this file.


It looks like you are packaging at least one of the standard Tomcat JARs 
(either jasper-el.jar or tomcat-embed-el.jar) in your web application. 
That will trigger this error.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: embeded tomcat apache-jasper dependency

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Rob Sargent 
> Gesendet: Dienstag, 17. Mai 2022 00:38
> An: users@tomcat.apache.org
> Betreff: embeded tomcat apache-jasper dependency
> 
> I'm seeing a new-to-me deployment failure and am at a loss to explain.
> 
> 
> Using tomcat 9-0-63 (and getting
> 
> Caused by: java.lang.IllegalArgumentException: More than one
> fragment with the name [org_apache_jasper_el] was found. This is not
> legal with relative ordering. See section 8.2.2 2c of the Servlet
> specification for details. Consider using absolute ordering.
>      at
> 
> org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebX
> ml.java:2262)
>      at
> 
> org.apache.tomcat.util.descriptor.web.WebXml.orderWebFragments(WebX
> ml.java:2220)
> 
> 
> My dependency manager (gradle) finds mention of jasper as an explicit
> dependency
> 
>   \--- project :webapp
>    +--- project :transport (*)
>    +--- com.fasterxml.jackson.core:jackson-databind:2.11.4 (*)
>    +--- com.fasterxml.jackson.core:jackson-core:2.11.4
>    +--- com.fasterxml.jackson.core:jackson-annotations:2.11.4
>    +---
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.4 (*)
>    +--- javax.servlet:javax.servlet-api:3.1.0
>    +--- javax.servlet.jsp:javax.servlet.jsp-api:2.3.3
>    +--- org.apache.tomcat.embed:tomcat-embed-core:9.0.+ ->
> 9.0.63
>    |    \--- org.apache.tomcat:tomcat-annotations-api:9.0.63
>    +--- org.apache.tomcat.embed:tomcat-embed-jasper:9.0.+ ->
> 9.0.63
>    |    +---
> org.apache.tomcat.embed:tomcat-embed-core:9.0.63 (*)
>    |    +--- org.apache.tomcat.embed:tomcat-embed-el:9.0.63
>    |    \--- org.eclipse.jdt:ecj:3.18.0
>    +---
> org.apache.tomcat.embed:tomcat-embed-logging-juli:9.0.0.M6
>    +--- org.apache.tomcat:tomcat-jdbc:9.0.+ -> 9.0.63
>    |    \--- org.apache.tomcat:tomcat-juli:9.0.63
>    +--- org.apache.tomcat:tomcat-dbcp:9.0.+ -> 9.0.63
>    |    \--- org.apache.tomcat:tomcat-juli:9.0.63
>    +--- org.apache.tomcat:tomcat-juli:9.0.+ -> 9.0.63
>    \--- org.slf4j:slf4j-api:1.7.7 -> 1.7.32
> 
> I see no evidence of even a single instance of the string
> "org_apache_jasper_el" (not even just "jasper") in any xml file in the
> deployment directory.
> 
> Even if I remove the jasper dependency (I'm not using JSF) and rebuild
> (distTar) the project I get the same complaint (more than one jasper
> fragment).
> 
> 
> 
> Any pointers appreciated.
> rjs

This message probably refers to web-fragments.
They are usually located at: /META-INF/web-fragment.xml

Within this XML there can be an ordering element  an a name element 
.

Maybe you can inspect the jars for this file.

Greetings,
Thomas