我在server.xml中添加了这个以启用tomcat FIPSMode
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" FIPSMode="on" />
但是在那个日志投掷之后,
Dec 01, 2015 3:28:53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
当我查看tomcat 7 docs for FIPSMode
时它要求我们创建OpenSSL库
FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well.
那么,现在的问题是如何为tomcat FIPS创建OpenSSL库?以及如何将其与tomcat集成?
请分享步骤或文档以实现此目的
请检查此新例外#1
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: Initializing FIPS mode...
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:333)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Dec 03, 2015 1:46:37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
openssl version
OpenSSL 1.0.1p-fips 9 Jul 2015
请检查新的例外情况#2
03-Dec-2015 22:46:24.577 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.0.29
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Nov 20 2015 09:18:00 UTC
03-Dec-2015 22:46:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.0.29.0
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
03-Dec-2015 22:46:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 2.6.32-131.0.15.el6.x86_64
03-Dec-2015 22:46:24.584 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /java/jdk1.7.0_80/jre
03-Dec-2015 22:46:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.7.0_80-b15
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation
03-Dec-2015 22:46:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/tomcat/apache-tomcat-8.0.29/conf/logging.properties
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
03-Dec-2015 22:46:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/tomcat/apache-tomcat-8.0.29/endorsed
03-Dec-2015 22:46:24.589 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/tomcat/apache-tomcat-8.0.29
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tomcat/apache-tomcat-8.0.29/temp
03-Dec-2015 22:46:24.590 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
03-Dec-2015 22:46:24.591 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
03-Dec-2015 22:46:24.657 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
03-Dec-2015 22:46:24.691 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
最终工作!!
04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-2015 00:45:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
04-Dec-2015 00:45:30.561 INFO [main] **org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
04-Dec-2015 00:45:30.576 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode**
04-Dec-2015 00:45:30.577 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-2015 00:45:30.935 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-apr-8080"]
04-Dec-2015 00:45:30.973 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-apr-8009"]
04-Dec-2015 00:45:30.976 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2308 ms
答案 0 :(得分:0)
您需要配置Tomcat以使用APR连接器,这里是步骤(在CentOS 6上完成):
安装gcc
yum install gcc
安装最新的APR
wget http://apache.spd.co.il//apr/apr-1.5.1.tar.gz
tar -zxvf apr-1.5.1.tar.gz
cd apr-1.5.1/
./configure
make
make install
安装最新的APR-util
wget http://apache.spd.co.il/apr/apr-util-1.5.3.tar.gz
tar -zxvf apr-util-1.5.3.tar.gz
cd apr-util-1.5.3
./configure --with-apr=/usr/local/apr
make
make install
配置OpenSSL
执行以下命令检查已安装的版本:
openssl version
示例输出: OpenSSL 1.0.1h-fips 2014年6月5日
请注意以FIPS模式编译的已安装版本,谷歌手册可以这样做。 将相应的源版本文件从OpenSSL站点复制到您的机器/var/tmp/openssl-1.0.1h
<强> JDK
为了构建tomcat的JNI包装器,请确保JDK可用(将其复制到计算机,请注意JDK版本必须与已安装的JRE相同)。
为Tomcat使用的APR安装JNI Wrapper(libtcnative)
cd $CATALINA_HOME/bin
tar -zxvf tomcat-native.tar.gz
cd tomcat-native/jni/native
./configure --with-apr=/usr/local/apr --with-java-home=$JDK_HOME --prefix=/usr --with-ssl=/var/tmp/openssl-1.0.1h/build/lnx/devel/x86_64
make
make install
配置您的CA
通过在CA_default部分下设置dir属性来编辑复制的openssl.cnf文件。
#!/bin/bash
#Configuring your CA
mkdir -p /var/tmp/myCA/certs
mkdir /var/tmp/myCA/csr
mkdir /var/tmp/myCA/newcerts
mkdir /var/tmp/myCA/private
cp /etc/pki/tls/openssl.cnf /var/tmp/myCA/.
cd /var/tmp/myCA
echo 00 > serial
echo 00 > crlnumber
touch index.txt
# Create CA private key
openssl genrsa -aes128 -passout pass:qwerty -out private/rootCA.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key
# Create CA self-signed certificate
openssl req -config openssl.cnf -new -x509 -subj '/C=IL/L=Tel-Aviv/CN=www.imperva.com' -days 365 -key private/rootCA.key -out certs/rootCA.crt
# Create a SSL Server certificate
# Create private key for the mx server
openssl genrsa -aes128 -passout pass:qwerty -out private/mx.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/mx.key -out private/mx.key
# Create CSR (Certificate Signing Request) for the MX server
openssl req -config openssl.cnf -new -subj '/C=IL/L=Tel-Aviv/CN=mx' -key private/mx.key -out csr/mx.csr
# Create certificate for the MX server
openssl ca -batch -config openssl.cnf -days 365 -in csr/mx.csr -out certs/mx.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
配置Tomcat
编辑server.xml以使用Http11AprProtocol协议:
<Connector
interface="management"
port="8080"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="false"
SSLEnabled="false"
scheme="http"
URIEncoding="UTF-8"
minProcessors="5"
maxProcessors="150"
enableLookups="true"
acceptCount="10"
allowChunking="true"
server="NA"/>