Re: FIPS compliancy on Tomcat 7.00.062

2015-08-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sanaullah,

On 8/5/15 5:54 AM, Sanaullah wrote:
> run the sslscan tool from the command line 
> https://github.com/rbsec/sslscan

I haven't used that tool in a very long time, because it never updated
to support newer protocols (like TLS, I think). Instead, I ended up
writing my own:

http://tomcat.markmail.org/thread/tz4z44nfjl7sy2lj

I've updated that tool a few times in the past few months... I should
post an update.

> or openssl s_client in debug mode

This doesn't help because it only tells you that a single connection
type will work. You have to invoke that command many many times to
test your server.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVxfSSAAoJEBzwKT+lPKRYv1AP/A4t2nyDlu00ZHmprxbHXoL/
XD1V08nG2+X1S4nR5uM58VeWxbILsJD0s1YRHk4pybnj8c40xGWQNyw4QY/n2FAj
uKum5mtEHUI2mXnN+tni7nAb0zJeGmh4YaL/GqhYuDxRWqEHWA6y1rzCTF5smmOl
gKSjstMOJWDEyKAhuIlfnpiF8hBMlnNBbzcqUHkv/2P3Fv2TQPKg7+9hsbfZUMTF
d3h2s/c3wk4IPDI9yPC8xhnMmw06y6FuTggvVOftLQgWn3Du4aY6RBbbJhJxCEcL
0UyTHp3uT3u5RxC4b0beEQTHxUzTRtWHN/VVXuuWObt/mNF1p5OpyyufC31K6yoe
LLBqGiMmiI0ViJWN8ENQTZYHRaVElJnqll20yrl4pEWDLREOrUHMkOa6oUErVpZG
n0wqBBYtPUn/wXfArfN4N4O5rHlrPXhxL8akQxx8kPXC0jn93GSEFMyheoiirauV
flBnlQ/zUsrXCB7Zy8giP2ikbtJr5GEjS/Uh4jOSZlgNbACLSnugJozW9z19ut27
0Hut6x0UQBPfG0s+2rJNuUAK7Por3uUmtFDB5Y9QwC4htY4DsrOOoywG+qGfU/q0
mJCUNmgILRrbq0VL1KadTuiZOur+2X97HLzjKiLLyPBG3GXSBMP9tOHxF/5wimN4
QSO0xiFLL/SRU9dEVbll
=eiqQ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nikitha,

On 8/5/15 6:52 AM, Nikitha Benny wrote:
> Thank you for your valuable suggestion.
> 
> I just ran the openssl s_client scan, and it looks like the server
> side is running fine on *TLSv1.2* Protocol.
> 
> [root]## *openssl s_client -connect 16.183.93.84:8444 
> * CONNECTED(0003) - - -  - -  - - - -
> -  - -  - - - - -  - -  - - - - -  - -  - -
> 
> 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP 
> dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC 
> Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU 
> d/A4 -END CERTIFICATE- subject=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com issuer=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN= 
> IWFVM01284.hpswlabs.adapps.hp.com --- No client certificate CA
> names sent --- SSL handshake has read 1476 bytes and written 7
> bytes --- New, (NONE), Cipher is (NONE) Server public key is 2048
> bit Secure Renegotiation IS supported Compression: NONE Expansion:
> NONE SSL-Session: Protocol  : *TLSv1.2* Cipher:  
> Session-ID: 
> 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 
> Session-ID-ctx: Master-Key: Key-Arg   : None Krb5 Principal: None 
> PSK identity: None PSK identity hint: None Start Time: 1438771286 
> Timeout   : 300 (sec) Verify return code: 18 (self signed
> certificate)
> 
> So could it be an issue with the browser? Since the browser is not
> FIPS compliant, could it be the reason for the issue?

FIPS compliance is really nothing more than using a certified set of
ciphers, and having the crypto module self-verify when it initializes
to ensure that it has not been tampered with.

So a FIPS-certified stack connecting to a non-FIPS-certified stack is
no difference than FIPS-to-FIPS or FIPSless-to-FIPS-less. It will work
whether FIPS compliance is met on either side of the connection or not.

IIRC (I haven't read the requirements recently), every truly
FIPS-compliant environment is currently vulnerable because FIPS
requires the support of known vulnerable protocols such as SSL3 as
well as a few required ciphers that were intentionally weakened by the
NSA.

If you want to be FIPS-compliant, I suggest that you be "nominally"
FIPS compliant and disable all of the bad stuff FIPS requires, yet
adhere to the rest of the requirements.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVxfO5AAoJEBzwKT+lPKRYzTEP/iw+wygF9J/Jn4Zi/0793Npu
bWdyWJoIrArjZ1d0qcnOsyQ4r4l94DU0MGHDeVijTk4iGhQyCnx5I9jT9qGpuQj6
DuC3VCBOkxceEJ1DLdtHkeQ/njkk4hdwnGarQ6Mt4MPhNee5zX3PFhC+vR9VTzBE
3nCcTKENciH4s5niJ+cA2i5EctLdOedyrVDRIaUuM7WDt0jDcRlAjUsBdwF1yf1M
hY+hSIQzaLgMP79cXGrA3G5GC5U1MGesJR0gwjJdS/xpziP97XbcDrL6IVPbTWJ2
TrgNqyHsOvLXvPh3qOG5rdO2NDOS4SkCktWfX9nAV1pb4Jpc6hRS4o58tPkXHgsp
d1/4/NxvxiFIa5zGUHgckBQQa/55x5+aa2LPUcVVBW4UPOjaxHRrDjaFGYhFB1Z9
isVRVHqY+cQZBn8agGfiTLduRnvE8+7vMCP/2GmXHdepLmWKbhoJ7AsBDMB6dwWT
/BgS7fEa29GHmcV1R4UMkCpiBbO9J6XAVAdLohXZ8o62E4Fxu2U3uDZumPPBOqUU
mi0s5SYVXlPfoj7/tuudm7Z9vgk4OW9SAHoUvPNpMP8pY32WkgWVADGMntykdPRs
csZhL+9jl9yaSEePFxXv89wHb/KxbP0H3C3kUu/nXRAkrcIbd+bFP99M2Nc7dPm7
fw5lT3gPUmkN1fKjVsV6
=DbB8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah 
if you remove the entire ciphers attribute from the server.xml then by
default ssl/TLS session pick the best available cipher from the ssl/tls
handshake version.





On Wed, Aug 5, 2015 at 4:10 PM, Nikitha Benny  wrote:

> Hi Sanaullah,
>
> That is because we have removed the entire "ciphers" attribute from the
> server.xml file.
> But that should be fine as the non complaint FIPS also has the "cipher"
> attribute removed and it shows the similar client to server conection and
> runs fine.
>
> Regards,
> Nikitha
>
> On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah  wrote:
>
> > run this command with debugging prints.
> >
> > openssl s_client -connect 16.183.93.84:8444 -debug -msg
> >
> > > Protocol  : *TLSv1.2*
> > > Cipher: 
> > it seems something broken as there is no Cipher
> >
> > Regards,
> > Sanaullah
> >
> >
> >
> > On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny 
> > wrote:
> >
> > > Hi Mark, Sanaullah,
> > >
> > > Thank you for your valuable suggestion.
> > >
> > > I just ran the openssl s_client scan, and it looks like the server side
> > is
> > > running fine on *TLSv1.2* Protocol.
> > >
> > > [root]## *openssl s_client -connect 16.183.93.84:8444
> > > *
> > > CONNECTED(0003)
> > > - - -  - -  - -
> > > - - -  - -  - -
> > > - - -  - -  - -
> > > - - -  - -  - -
> > >
> > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> > > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> > > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> > > d/A4
> > > -END CERTIFICATE-
> > > subject=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > > IWFVM01284.hpswlabs.adapps.hp.com
> > > issuer=/C=US/ST=California/L=Palo
> Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > > IWFVM01284.hpswlabs.adapps.hp.com
> > > ---
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 1476 bytes and written 7 bytes
> > > ---
> > > New, (NONE), Cipher is (NONE)
> > > Server public key is 2048 bit
> > > Secure Renegotiation IS supported
> > > Compression: NONE
> > > Expansion: NONE
> > > SSL-Session:
> > > Protocol  : *TLSv1.2*
> > > Cipher: 
> > > Session-ID:
> > > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
> > > Session-ID-ctx:
> > > Master-Key:
> > > Key-Arg   : None
> > > Krb5 Principal: None
> > > PSK identity: None
> > > PSK identity hint: None
> > > Start Time: 1438771286
> > > Timeout   : 300 (sec)
> > > Verify return code: 18 (self signed certificate)
> > >
> > > So could it be an issue with the browser?
> > > Since the browser is not FIPS compliant, could it be the reason for the
> > > issue?
> > >
> > >
> > > Regards,
> > > Nikitha
> > >
> > > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah 
> wrote:
> > >
> > > > Hi Nikhita,
> > > >
> > > > run the sslscan tool from the command line or openssl s_client in
> debug
> > > > mode
> > > > https://github.com/rbsec/sslscan
> > > >
> > > > Regards,
> > > > Sanaullah
> > > >
> > > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny  >
> > > > wrote:
> > > >
> > > > > Hi Mark,
> > > > >
> > > > > My server is not on a public domain.
> > > > > How can i verify the setup which is on a private network?
> > > > >
> > > > > Regards,
> > > > > Nikitha
> > > > >
> > > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas 
> > wrote:
> > > > >
> > > > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > > > Hi Mark,
> > > > > > >
> > > > > > > When I try to run Tomcat on the https server port:
> > > > > > >
> > > > > > > *https://:8444/*
> > > > > > >
> > > > > > > It says as below:
> > > > > > > --
> > > > > > >
> > > > > > > *SSL connection error*
> > > > > > >
> > > > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > > > >
> > > > > > > *Unable to make a secure connection to the server. This may be
> a
> > > > > problem
> > > > > > > with the server, or it may be requiring a client authentication
> > > > > > certificate
> > > > > > > that you don't have*
> > > > > > > **
> > > > > >
> > > > > > That is the client side. What about server side logs?
> > > > > >
> > > > > > > We have set the client authentication to False, so it does not
> > need
> > > > any
> > > > > > > client authorized certificate.
> > > > > >
> > > > > > I recommend you run https://www.ssllabs.com/ssltest/ against
> your
> > > > > > server. That will tell you if you have a server side issue, a
> > client
> > > > > > side issue or simply a mismatch between the two.
> > > > > >
> > > > > > Mark
> > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > > Nikitha
> > > > > > >
> > > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > > > nikki.be...@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > >>> But still Tomcat does not run on the https port.
> > > > > > >>
> > > > > > >> As in, when we run Tomcat on the https server port it does not
> > > > display
> > > > > > the
> > > > > > >> page.
> > > >

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Nikitha Benny 
Hi Sanaullah,

That is because we have removed the entire "ciphers" attribute from the
server.xml file.
But that should be fine as the non complaint FIPS also has the "cipher"
attribute removed and it shows the similar client to server conection and
runs fine.

Regards,
Nikitha

On Wed, Aug 5, 2015 at 4:28 PM, Sanaullah  wrote:

> run this command with debugging prints.
>
> openssl s_client -connect 16.183.93.84:8444 -debug -msg
>
> > Protocol  : *TLSv1.2*
> > Cipher: 
> it seems something broken as there is no Cipher
>
> Regards,
> Sanaullah
>
>
>
> On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny 
> wrote:
>
> > Hi Mark, Sanaullah,
> >
> > Thank you for your valuable suggestion.
> >
> > I just ran the openssl s_client scan, and it looks like the server side
> is
> > running fine on *TLSv1.2* Protocol.
> >
> > [root]## *openssl s_client -connect 16.183.93.84:8444
> > *
> > CONNECTED(0003)
> > - - -  - -  - -
> > - - -  - -  - -
> > - - -  - -  - -
> > - - -  - -  - -
> >
> > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> > d/A4
> > -END CERTIFICATE-
> > subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > IWFVM01284.hpswlabs.adapps.hp.com
> > issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> > IWFVM01284.hpswlabs.adapps.hp.com
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1476 bytes and written 7 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol  : *TLSv1.2*
> > Cipher: 
> > Session-ID:
> > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
> > Session-ID-ctx:
> > Master-Key:
> > Key-Arg   : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1438771286
> > Timeout   : 300 (sec)
> > Verify return code: 18 (self signed certificate)
> >
> > So could it be an issue with the browser?
> > Since the browser is not FIPS compliant, could it be the reason for the
> > issue?
> >
> >
> > Regards,
> > Nikitha
> >
> > On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah  wrote:
> >
> > > Hi Nikhita,
> > >
> > > run the sslscan tool from the command line or openssl s_client in debug
> > > mode
> > > https://github.com/rbsec/sslscan
> > >
> > > Regards,
> > > Sanaullah
> > >
> > > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny 
> > > wrote:
> > >
> > > > Hi Mark,
> > > >
> > > > My server is not on a public domain.
> > > > How can i verify the setup which is on a private network?
> > > >
> > > > Regards,
> > > > Nikitha
> > > >
> > > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas 
> wrote:
> > > >
> > > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > > Hi Mark,
> > > > > >
> > > > > > When I try to run Tomcat on the https server port:
> > > > > >
> > > > > > *https://:8444/*
> > > > > >
> > > > > > It says as below:
> > > > > > --
> > > > > >
> > > > > > *SSL connection error*
> > > > > >
> > > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > > >
> > > > > > *Unable to make a secure connection to the server. This may be a
> > > > problem
> > > > > > with the server, or it may be requiring a client authentication
> > > > > certificate
> > > > > > that you don't have*
> > > > > > **
> > > > >
> > > > > That is the client side. What about server side logs?
> > > > >
> > > > > > We have set the client authentication to False, so it does not
> need
> > > any
> > > > > > client authorized certificate.
> > > > >
> > > > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > > > server. That will tell you if you have a server side issue, a
> client
> > > > > side issue or simply a mismatch between the two.
> > > > >
> > > > > Mark
> > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Nikitha
> > > > > >
> > > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > > nikki.be...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > >>> But still Tomcat does not run on the https port.
> > > > > >>
> > > > > >> As in, when we run Tomcat on the https server port it does not
> > > display
> > > > > the
> > > > > >> page.
> > > > > >> Where as it goes through fine on the http port. The url opens.
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas 
> > > wrote:
> > > > > >>
> > > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > > >  Hello Mark,
> > > > > 
> > > > >  Thanks for your valuable suggestion.
> > > > > 
> > > > >  We were successful in creating the pkcs12 keystore which picks
> > up
> > > > > >>> SHA256 as
> > > > >  shown below:
> > > > > >>>
> > > > > >>> 
> > > > > >>>
> > > > >  But

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah 
run this command with debugging prints.

openssl s_client -connect 16.183.93.84:8444 -debug -msg

> Protocol  : *TLSv1.2*
> Cipher: 
it seems something broken as there is no Cipher

Regards,
Sanaullah



On Wed, Aug 5, 2015 at 3:52 PM, Nikitha Benny  wrote:

> Hi Mark, Sanaullah,
>
> Thank you for your valuable suggestion.
>
> I just ran the openssl s_client scan, and it looks like the server side is
> running fine on *TLSv1.2* Protocol.
>
> [root]## *openssl s_client -connect 16.183.93.84:8444
> *
> CONNECTED(0003)
> - - -  - -  - -
> - - -  - -  - -
> - - -  - -  - -
> - - -  - -  - -
>
> 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
> dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
> Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
> d/A4
> -END CERTIFICATE-
> subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> IWFVM01284.hpswlabs.adapps.hp.com
> issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
> IWFVM01284.hpswlabs.adapps.hp.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1476 bytes and written 7 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : *TLSv1.2*
> Cipher: 
> Session-ID:
> 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
> Session-ID-ctx:
> Master-Key:
> Key-Arg   : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1438771286
> Timeout   : 300 (sec)
> Verify return code: 18 (self signed certificate)
>
> So could it be an issue with the browser?
> Since the browser is not FIPS compliant, could it be the reason for the
> issue?
>
>
> Regards,
> Nikitha
>
> On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah  wrote:
>
> > Hi Nikhita,
> >
> > run the sslscan tool from the command line or openssl s_client in debug
> > mode
> > https://github.com/rbsec/sslscan
> >
> > Regards,
> > Sanaullah
> >
> > On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny 
> > wrote:
> >
> > > Hi Mark,
> > >
> > > My server is not on a public domain.
> > > How can i verify the setup which is on a private network?
> > >
> > > Regards,
> > > Nikitha
> > >
> > > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas  wrote:
> > >
> > > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > > Hi Mark,
> > > > >
> > > > > When I try to run Tomcat on the https server port:
> > > > >
> > > > > *https://:8444/*
> > > > >
> > > > > It says as below:
> > > > > --
> > > > >
> > > > > *SSL connection error*
> > > > >
> > > > > *ERR_SSL_PROTOCOL_ERROR*
> > > > >
> > > > > *Unable to make a secure connection to the server. This may be a
> > > problem
> > > > > with the server, or it may be requiring a client authentication
> > > > certificate
> > > > > that you don't have*
> > > > > **
> > > >
> > > > That is the client side. What about server side logs?
> > > >
> > > > > We have set the client authentication to False, so it does not need
> > any
> > > > > client authorized certificate.
> > > >
> > > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > > server. That will tell you if you have a server side issue, a client
> > > > side issue or simply a mismatch between the two.
> > > >
> > > > Mark
> > > >
> > > > >
> > > > > Regards,
> > > > > Nikitha
> > > > >
> > > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> > nikki.be...@gmail.com>
> > > > > wrote:
> > > > >
> > > > >>> But still Tomcat does not run on the https port.
> > > > >>
> > > > >> As in, when we run Tomcat on the https server port it does not
> > display
> > > > the
> > > > >> page.
> > > > >> Where as it goes through fine on the http port. The url opens.
> > > > >>
> > > > >>
> > > > >>
> > > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas 
> > wrote:
> > > > >>
> > > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > > >  Hello Mark,
> > > > 
> > > >  Thanks for your valuable suggestion.
> > > > 
> > > >  We were successful in creating the pkcs12 keystore which picks
> up
> > > > >>> SHA256 as
> > > >  shown below:
> > > > >>>
> > > > >>> 
> > > > >>>
> > > >  But still Tomcat does not run on the https port.
> > > > >>>
> > > > >>> Define "does not run".
> > > > >>>
> > > >  Any clue as to why this happens?
> > > > >>>
> > > > >>> Based on the information provided so far, no.
> > > > >>>
> > > >  The protocol I am using is*
> > > > "org.apache.coyote.http11.Http11Protocol".*
> > > > >>>
> > > > >>> OK. That is the HTTP BIO connector.
> > > > >>>
> > > >  Could it be because I am not using an APR connector protocol?
> > > > >>>
> > > > >>> No.
> > > > >>>
> > > > >>> Mark
> > > > >>>
> > > > >>>
> > > > >>>
> > -
> > > > >>> To unsub

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Nikitha Benny 
Hi Mark, Sanaullah,

Thank you for your valuable suggestion.

I just ran the openssl s_client scan, and it looks like the server side is
running fine on *TLSv1.2* Protocol.

[root]## *openssl s_client -connect 16.183.93.84:8444
*
CONNECTED(0003)
- - -  - -  - -
- - -  - -  - -
- - -  - -  - -
- - -  - -  - -

9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP
dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC
Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU
d/A4
-END CERTIFICATE-
subject=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
IWFVM01284.hpswlabs.adapps.hp.com
issuer=/C=US/ST=California/L=Palo Alto/O=Hewlett-Packard/OU=OpenView/CN=
IWFVM01284.hpswlabs.adapps.hp.com
---
No client certificate CA names sent
---
SSL handshake has read 1476 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : *TLSv1.2*
Cipher: 
Session-ID:
55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377
Session-ID-ctx:
Master-Key:
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1438771286
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)

So could it be an issue with the browser?
Since the browser is not FIPS compliant, could it be the reason for the
issue?


Regards,
Nikitha

On Wed, Aug 5, 2015 at 3:24 PM, Sanaullah  wrote:

> Hi Nikhita,
>
> run the sslscan tool from the command line or openssl s_client in debug
> mode
> https://github.com/rbsec/sslscan
>
> Regards,
> Sanaullah
>
> On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny 
> wrote:
>
> > Hi Mark,
> >
> > My server is not on a public domain.
> > How can i verify the setup which is on a private network?
> >
> > Regards,
> > Nikitha
> >
> > On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas  wrote:
> >
> > > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > > Hi Mark,
> > > >
> > > > When I try to run Tomcat on the https server port:
> > > >
> > > > *https://:8444/*
> > > >
> > > > It says as below:
> > > > --
> > > >
> > > > *SSL connection error*
> > > >
> > > > *ERR_SSL_PROTOCOL_ERROR*
> > > >
> > > > *Unable to make a secure connection to the server. This may be a
> > problem
> > > > with the server, or it may be requiring a client authentication
> > > certificate
> > > > that you don't have*
> > > > **
> > >
> > > That is the client side. What about server side logs?
> > >
> > > > We have set the client authentication to False, so it does not need
> any
> > > > client authorized certificate.
> > >
> > > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > > server. That will tell you if you have a server side issue, a client
> > > side issue or simply a mismatch between the two.
> > >
> > > Mark
> > >
> > > >
> > > > Regards,
> > > > Nikitha
> > > >
> > > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny <
> nikki.be...@gmail.com>
> > > > wrote:
> > > >
> > > >>> But still Tomcat does not run on the https port.
> > > >>
> > > >> As in, when we run Tomcat on the https server port it does not
> display
> > > the
> > > >> page.
> > > >> Where as it goes through fine on the http port. The url opens.
> > > >>
> > > >>
> > > >>
> > > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas 
> wrote:
> > > >>
> > > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> > >  Hello Mark,
> > > 
> > >  Thanks for your valuable suggestion.
> > > 
> > >  We were successful in creating the pkcs12 keystore which picks up
> > > >>> SHA256 as
> > >  shown below:
> > > >>>
> > > >>> 
> > > >>>
> > >  But still Tomcat does not run on the https port.
> > > >>>
> > > >>> Define "does not run".
> > > >>>
> > >  Any clue as to why this happens?
> > > >>>
> > > >>> Based on the information provided so far, no.
> > > >>>
> > >  The protocol I am using is*
> > > "org.apache.coyote.http11.Http11Protocol".*
> > > >>>
> > > >>> OK. That is the HTTP BIO connector.
> > > >>>
> > >  Could it be because I am not using an APR connector protocol?
> > > >>>
> > > >>> No.
> > > >>>
> > > >>> Mark
> > > >>>
> > > >>>
> > > >>>
> -
> > > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >>>
> > > >>>
> > > >>
> > > >
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Sanaullah 
Hi Nikhita,

run the sslscan tool from the command line or openssl s_client in debug mode
https://github.com/rbsec/sslscan

Regards,
Sanaullah

On Wed, Aug 5, 2015 at 2:23 PM, Nikitha Benny  wrote:

> Hi Mark,
>
> My server is not on a public domain.
> How can i verify the setup which is on a private network?
>
> Regards,
> Nikitha
>
> On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas  wrote:
>
> > On 05/08/2015 07:32, Nikitha Benny wrote:
> > > Hi Mark,
> > >
> > > When I try to run Tomcat on the https server port:
> > >
> > > *https://:8444/*
> > >
> > > It says as below:
> > > --
> > >
> > > *SSL connection error*
> > >
> > > *ERR_SSL_PROTOCOL_ERROR*
> > >
> > > *Unable to make a secure connection to the server. This may be a
> problem
> > > with the server, or it may be requiring a client authentication
> > certificate
> > > that you don't have*
> > > **
> >
> > That is the client side. What about server side logs?
> >
> > > We have set the client authentication to False, so it does not need any
> > > client authorized certificate.
> >
> > I recommend you run https://www.ssllabs.com/ssltest/ against your
> > server. That will tell you if you have a server side issue, a client
> > side issue or simply a mismatch between the two.
> >
> > Mark
> >
> > >
> > > Regards,
> > > Nikitha
> > >
> > > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
> > > wrote:
> > >
> > >>> But still Tomcat does not run on the https port.
> > >>
> > >> As in, when we run Tomcat on the https server port it does not display
> > the
> > >> page.
> > >> Where as it goes through fine on the http port. The url opens.
> > >>
> > >>
> > >>
> > >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas  wrote:
> > >>
> > >>> On 04/08/2015 13:19, Nikitha Benny wrote:
> >  Hello Mark,
> > 
> >  Thanks for your valuable suggestion.
> > 
> >  We were successful in creating the pkcs12 keystore which picks up
> > >>> SHA256 as
> >  shown below:
> > >>>
> > >>> 
> > >>>
> >  But still Tomcat does not run on the https port.
> > >>>
> > >>> Define "does not run".
> > >>>
> >  Any clue as to why this happens?
> > >>>
> > >>> Based on the information provided so far, no.
> > >>>
> >  The protocol I am using is*
> > "org.apache.coyote.http11.Http11Protocol".*
> > >>>
> > >>> OK. That is the HTTP BIO connector.
> > >>>
> >  Could it be because I am not using an APR connector protocol?
> > >>>
> > >>> No.
> > >>>
> > >>> Mark
> > >>>
> > >>>
> > >>> -
> > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> > >>>
> > >>>
> > >>
> > >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Nikitha Benny 
Hi Mark,

My server is not on a public domain.
How can i verify the setup which is on a private network?

Regards,
Nikitha

On Wed, Aug 5, 2015 at 2:14 PM, Mark Thomas  wrote:

> On 05/08/2015 07:32, Nikitha Benny wrote:
> > Hi Mark,
> >
> > When I try to run Tomcat on the https server port:
> >
> > *https://:8444/*
> >
> > It says as below:
> > --
> >
> > *SSL connection error*
> >
> > *ERR_SSL_PROTOCOL_ERROR*
> >
> > *Unable to make a secure connection to the server. This may be a problem
> > with the server, or it may be requiring a client authentication
> certificate
> > that you don't have*
> > **
>
> That is the client side. What about server side logs?
>
> > We have set the client authentication to False, so it does not need any
> > client authorized certificate.
>
> I recommend you run https://www.ssllabs.com/ssltest/ against your
> server. That will tell you if you have a server side issue, a client
> side issue or simply a mismatch between the two.
>
> Mark
>
> >
> > Regards,
> > Nikitha
> >
> > On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
> > wrote:
> >
> >>> But still Tomcat does not run on the https port.
> >>
> >> As in, when we run Tomcat on the https server port it does not display
> the
> >> page.
> >> Where as it goes through fine on the http port. The url opens.
> >>
> >>
> >>
> >> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas  wrote:
> >>
> >>> On 04/08/2015 13:19, Nikitha Benny wrote:
>  Hello Mark,
> 
>  Thanks for your valuable suggestion.
> 
>  We were successful in creating the pkcs12 keystore which picks up
> >>> SHA256 as
>  shown below:
> >>>
> >>> 
> >>>
>  But still Tomcat does not run on the https port.
> >>>
> >>> Define "does not run".
> >>>
>  Any clue as to why this happens?
> >>>
> >>> Based on the information provided so far, no.
> >>>
>  The protocol I am using is*
> "org.apache.coyote.http11.Http11Protocol".*
> >>>
> >>> OK. That is the HTTP BIO connector.
> >>>
>  Could it be because I am not using an APR connector protocol?
> >>>
> >>> No.
> >>>
> >>> Mark
> >>>
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-05 Thread Mark Thomas 
On 05/08/2015 07:32, Nikitha Benny wrote:
> Hi Mark,
> 
> When I try to run Tomcat on the https server port:
> 
> *https://:8444/*
> 
> It says as below:
> --
> 
> *SSL connection error*
> 
> *ERR_SSL_PROTOCOL_ERROR*
> 
> *Unable to make a secure connection to the server. This may be a problem
> with the server, or it may be requiring a client authentication certificate
> that you don't have*
> **

That is the client side. What about server side logs?

> We have set the client authentication to False, so it does not need any
> client authorized certificate.

I recommend you run https://www.ssllabs.com/ssltest/ against your
server. That will tell you if you have a server side issue, a client
side issue or simply a mismatch between the two.

Mark

> 
> Regards,
> Nikitha
> 
> On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
> wrote:
> 
>>> But still Tomcat does not run on the https port.
>>
>> As in, when we run Tomcat on the https server port it does not display the
>> page.
>> Where as it goes through fine on the http port. The url opens.
>>
>>
>>
>> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas  wrote:
>>
>>> On 04/08/2015 13:19, Nikitha Benny wrote:
 Hello Mark,

 Thanks for your valuable suggestion.

 We were successful in creating the pkcs12 keystore which picks up
>>> SHA256 as
 shown below:
>>>
>>> 
>>>
 But still Tomcat does not run on the https port.
>>>
>>> Define "does not run".
>>>
 Any clue as to why this happens?
>>>
>>> Based on the information provided so far, no.
>>>
 The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*
>>>
>>> OK. That is the HTTP BIO connector.
>>>
 Could it be because I am not using an APR connector protocol?
>>>
>>> No.
>>>
>>> Mark
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Nikitha Benny 
Hi Mark,

When I try to run Tomcat on the https server port:

*https://:8444/*

It says as below:
--

*SSL connection error*

*ERR_SSL_PROTOCOL_ERROR*

*Unable to make a secure connection to the server. This may be a problem
with the server, or it may be requiring a client authentication certificate
that you don't have*
**

We have set the client authentication to False, so it does not need any
client authorized certificate.

Regards,
Nikitha

On Wed, Aug 5, 2015 at 10:07 AM, Nikitha Benny 
wrote:

> > But still Tomcat does not run on the https port.
>
> As in, when we run Tomcat on the https server port it does not display the
> page.
> Where as it goes through fine on the http port. The url opens.
>
>
>
> On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas  wrote:
>
>> On 04/08/2015 13:19, Nikitha Benny wrote:
>> > Hello Mark,
>> >
>> > Thanks for your valuable suggestion.
>> >
>> > We were successful in creating the pkcs12 keystore which picks up
>> SHA256 as
>> > shown below:
>>
>> 
>>
>> > But still Tomcat does not run on the https port.
>>
>> Define "does not run".
>>
>> > Any clue as to why this happens?
>>
>> Based on the information provided so far, no.
>>
>> > The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*
>>
>> OK. That is the HTTP BIO connector.
>>
>> > Could it be because I am not using an APR connector protocol?
>>
>> No.
>>
>> Mark
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Nikitha Benny 
> But still Tomcat does not run on the https port.

As in, when we run Tomcat on the https server port it does not display the
page.
Where as it goes through fine on the http port. The url opens.



On Tue, Aug 4, 2015 at 6:18 PM, Mark Thomas  wrote:

> On 04/08/2015 13:19, Nikitha Benny wrote:
> > Hello Mark,
> >
> > Thanks for your valuable suggestion.
> >
> > We were successful in creating the pkcs12 keystore which picks up SHA256
> as
> > shown below:
>
> 
>
> > But still Tomcat does not run on the https port.
>
> Define "does not run".
>
> > Any clue as to why this happens?
>
> Based on the information provided so far, no.
>
> > The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*
>
> OK. That is the HTTP BIO connector.
>
> > Could it be because I am not using an APR connector protocol?
>
> No.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Mark Thomas 
On 04/08/2015 13:19, Nikitha Benny wrote:
> Hello Mark,
> 
> Thanks for your valuable suggestion.
> 
> We were successful in creating the pkcs12 keystore which picks up SHA256 as
> shown below:



> But still Tomcat does not run on the https port.

Define "does not run".

> Any clue as to why this happens?

Based on the information provided so far, no.

> The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*

OK. That is the HTTP BIO connector.

> Could it be because I am not using an APR connector protocol?

No.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Nikitha Benny 
Hello Mark,

Thanks for your valuable suggestion.

We were successful in creating the pkcs12 keystore which picks up SHA256 as
shown below:

-
[root]## /jre/b/bin/keytool -v -list -storetype pkcs12 -keystore
tomcat.keystore
Enter keystore password:

*Keystore type: PKCS12*
*Keystore provider: JsafeJCE*

Your keystore contains 1 entry

Alias name: ovtomcatb
Creation date: Aug 4, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView,
O=Hewlett-Packard, L=Palo Alto, ST=California, C=US
Issuer: CN=IWFVM01284.hpswlabs.adapps.hp.com, OU=OpenView,
O=Hewlett-Packard, L=Palo Alto, ST=California, C=US
Serial number: 65b4bcb8
Valid from: Thu Jul 23 14:55:21 IST 2015 until: Mon Apr 09 14:55:21 IST 2035
Certificate fingerprints:
 MD5:  9B:68:A8:C4:4C:81:FC:F6:06:CF:51:52:00:67:B1:E1
 SHA1: 4A:98:19:E4:42:34:B0:7D:8C:2B:AD:D5:38:15:79:77:2E:99:D1:10
 SHA256:
AD:17:98:07:BB:D3:CE:FE:43:D8:31:83:27:33:42:26:7E:E0:13:D6:71:5A:8E:54:9C:96:7A:B3:51:48:A3:E6
 Signature algorithm name: *SHA256withRSA*
 Version: 3
---

But still Tomcat does not run on the https port.
Any clue as to why this happens?

The protocol I am using is* "org.apache.coyote.http11.Http11Protocol".*
Could it be because I am not using an APR connector protocol?

Regards,
Nikitha

On Tue, Aug 4, 2015 at 2:37 PM, Mark Thomas  wrote:

> On 04/08/2015 09:30, Nikitha Benny wrote:
> > Hello All,
> >
> > We are working on Tomcat 7.00.062 with java 1.08.045.
> > We require to configure FIPS compliancy on the Tomcat.
> >
> > We were successful in configuring FIPS compliancy on java 1.08.045.
> > A keystore file has already been created for Tomcat.
> >
> > When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
> > runs fine on the http server, but fails to run on the https server port.
> >
> > The java.security file is of JKS format.
> > We tried converting from JKS to PKCS12 format, which gave us the below
> > result:
> >
> > [root]## *keytool -importkeystore -srckeystore tomcat.keystore
> > -destkeystore tomcatpkcs2.keystore*
> > Import command completed:  1 entries successfully imported, 0 entries
> > failed or cancelled
> >
> > [root]## *keytool -v -list -storetype pkcs12 -keystore
> tomcatpkcs2.keystore*
> > keytool error: java.io.IOException: Error decoding PKCS 12 input.
> > java.io.IOException: Error decoding PKCS 12 input.
> > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
> > at java.security.KeyStore.load(KeyStore.java:1445)
> > at sun.security.tools.keytool.Main.doCommands(Main.java:792)
> > at sun.security.tools.keytool.Main.run(Main.java:340)
> > at sun.security.tools.keytool.Main.main(Main.java:333)
> >
> > ---
> >
> > Also we tried to create a new keystore file entirely of PKCS12 format,
> > which resulted as below:
> >
> > [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
> > -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
> > , OU=OpenView,
> O=Hewlett-Packard,
> > L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
> > -keystore tomcatmypkcs12.kestore -storetype pkcs12*
> >
> > When we list the keystore file, it throws the below exception.
> > It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
> > compliant.
>
> That looks like you are using an old version of keytool. The default
> signature algorithm for an RSA key should be SHA256withRSA for Java 8.
>
> Try explicitly specifying "-sigalg SHA256withRSA" when you generate the
> key with keytool.
>
> Mark
>
>
> >
> > [root]## *keytool -v -list -storetype pkcs12 -keystore
> > tomcatmypkcs12.kestore*
> > Enter keystore password: (password given)
> > keytool error: java.lang.SecurityException: Algorithm not allowable in
> > FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
> > java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
> > PBE/PKCS12*/SHA1*/RC2/CBC/40
> > at com.rsa.cryptoj.o.cc.c(Unknown Source)
> > at com.rsa.cryptoj.o.ci.c(Unknown Source)
> > at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
> > at com.rsa.cryptoj.o.dh.d(Unknown Source)
> > at com.rsa.cryptoj.o.gf.(Unknown Source)
> > at com.rsa.cryptoj.o.gk.(Unknown Source)
> > at com.rsa.cryptoj.o.gp.(Unknown Source)
> > at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
> > at com.rsa.cryptoj.o.kg.a(Unknown Source)
> > at com.rsa.cryptoj.o.kg.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.b(Unknown Source)
> > at com.rsa.cryptoj.o.lp.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.a(Unknown Source)
> > at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)

Re: FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Mark Thomas 
On 04/08/2015 09:30, Nikitha Benny wrote:
> Hello All,
> 
> We are working on Tomcat 7.00.062 with java 1.08.045.
> We require to configure FIPS compliancy on the Tomcat.
> 
> We were successful in configuring FIPS compliancy on java 1.08.045.
> A keystore file has already been created for Tomcat.
> 
> When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
> runs fine on the http server, but fails to run on the https server port.
> 
> The java.security file is of JKS format.
> We tried converting from JKS to PKCS12 format, which gave us the below
> result:
> 
> [root]## *keytool -importkeystore -srckeystore tomcat.keystore
> -destkeystore tomcatpkcs2.keystore*
> Import command completed:  1 entries successfully imported, 0 entries
> failed or cancelled
> 
> [root]## *keytool -v -list -storetype pkcs12 -keystore tomcatpkcs2.keystore*
> keytool error: java.io.IOException: Error decoding PKCS 12 input.
> java.io.IOException: Error decoding PKCS 12 input.
> at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at sun.security.tools.keytool.Main.doCommands(Main.java:792)
> at sun.security.tools.keytool.Main.run(Main.java:340)
> at sun.security.tools.keytool.Main.main(Main.java:333)
> 
> ---
> 
> Also we tried to create a new keystore file entirely of PKCS12 format,
> which resulted as below:
> 
> [root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
> -validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
> , OU=OpenView, O=Hewlett-Packard,
> L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
> -keystore tomcatmypkcs12.kestore -storetype pkcs12*
> 
> When we list the keystore file, it throws the below exception.
> It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
> compliant.

That looks like you are using an old version of keytool. The default
signature algorithm for an RSA key should be SHA256withRSA for Java 8.

Try explicitly specifying "-sigalg SHA256withRSA" when you generate the
key with keytool.

Mark


> 
> [root]## *keytool -v -list -storetype pkcs12 -keystore
> tomcatmypkcs12.kestore*
> Enter keystore password: (password given)
> keytool error: java.lang.SecurityException: Algorithm not allowable in
> FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
> java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
> PBE/PKCS12*/SHA1*/RC2/CBC/40
> at com.rsa.cryptoj.o.cc.c(Unknown Source)
> at com.rsa.cryptoj.o.ci.c(Unknown Source)
> at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
> at com.rsa.cryptoj.o.dh.d(Unknown Source)
> at com.rsa.cryptoj.o.gf.(Unknown Source)
> at com.rsa.cryptoj.o.gk.(Unknown Source)
> at com.rsa.cryptoj.o.gp.(Unknown Source)
> at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
> at com.rsa.cryptoj.o.kg.a(Unknown Source)
> at com.rsa.cryptoj.o.kg.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.b(Unknown Source)
> at com.rsa.cryptoj.o.lp.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.a(Unknown Source)
> at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at sun.security.tools.keytool.Main.doCommands(Main.java:889)
> at sun.security.tools.keytool.Main.run(Main.java:340)
> at sun.security.tools.keytool.Main.main(Main.java:333)
> 
> Is there a possibiltiy where it can pickup SHA256 ?
> 
> Regards,
> Nikitha
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

FIPS compliancy on Tomcat 7.00.062

2015-08-04 Thread Nikitha Benny 
Hello All,

We are working on Tomcat 7.00.062 with java 1.08.045.
We require to configure FIPS compliancy on the Tomcat.

We were successful in configuring FIPS compliancy on java 1.08.045.
A keystore file has already been created for Tomcat.

When we run the Tomcat 7.00.062 with the FIPS compliant JRE 1.08.045, it
runs fine on the http server, but fails to run on the https server port.

The java.security file is of JKS format.
We tried converting from JKS to PKCS12 format, which gave us the below
result:

[root]## *keytool -importkeystore -srckeystore tomcat.keystore
-destkeystore tomcatpkcs2.keystore*
Import command completed:  1 entries successfully imported, 0 entries
failed or cancelled

[root]## *keytool -v -list -storetype pkcs12 -keystore tomcatpkcs2.keystore*
keytool error: java.io.IOException: Error decoding PKCS 12 input.
java.io.IOException: Error decoding PKCS 12 input.
at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:792)
at sun.security.tools.keytool.Main.run(Main.java:340)
at sun.security.tools.keytool.Main.main(Main.java:333)

---

Also we tried to create a new keystore file entirely of PKCS12 format,
which resulted as below:

[root]## *keytool -genkey -alias ovtomcatb -keyalg RSA -keysize 2048
-validity 7200 -dname "CN=IWFVM01284.hpswlabs.adapps.hp.com
, OU=OpenView, O=Hewlett-Packard,
L=Palo Alto, S=California, C=US" -keypass changeit -storepass changeit
-keystore tomcatmypkcs12.kestore -storetype pkcs12*

When we list the keystore file, it throws the below exception.
It looks like it picks up SHA1 (instead of SHA256) which is not FIPS
compliant.

[root]## *keytool -v -list -storetype pkcs12 -keystore
tomcatmypkcs12.kestore*
Enter keystore password: (password given)
keytool error: java.lang.SecurityException: Algorithm not allowable in
FIPS140 mode: PBE/PKCS12/*SHA1*/RC2/CBC/40
java.lang.SecurityException: Algorithm not allowable in FIPS140 mode:
PBE/PKCS12*/SHA1*/RC2/CBC/40
at com.rsa.cryptoj.o.cc.c(Unknown Source)
at com.rsa.cryptoj.o.ci.c(Unknown Source)
at com.rsa.cryptoj.o.cj.newSymmetricCipher(Unknown Source)
at com.rsa.cryptoj.o.dh.d(Unknown Source)
at com.rsa.cryptoj.o.gf.(Unknown Source)
at com.rsa.cryptoj.o.gk.(Unknown Source)
at com.rsa.cryptoj.o.gp.(Unknown Source)
at com.rsa.cryptoj.o.kf$17.a(Unknown Source)
at com.rsa.cryptoj.o.kg.a(Unknown Source)
at com.rsa.cryptoj.o.kg.a(Unknown Source)
at com.rsa.cryptoj.o.lp.a(Unknown Source)
at com.rsa.cryptoj.o.lp.b(Unknown Source)
at com.rsa.cryptoj.o.lp.a(Unknown Source)
at com.rsa.cryptoj.o.lp.a(Unknown Source)
at com.rsa.cryptoj.o.lp.a(Unknown Source)
at com.rsa.cryptoj.o.lp.a(Unknown Source)
at com.rsa.cryptoj.o.lp.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.doCommands(Main.java:889)
at sun.security.tools.keytool.Main.run(Main.java:340)
at sun.security.tools.keytool.Main.main(Main.java:333)

Is there a possibiltiy where it can pickup SHA256 ?

Regards,
Nikitha