Wednesday Oct 29, 2008

Running Sun Web Server 7.0 in FIPS mode

Running Sun Java System Web Server 7.0 in FIPS mode

Jyri's blog  http://blogs.sun.com/jyrivirkki/entry/fips_140_certification talks about FIPS certification. In this blog I will show how to run Web Server 7.0 in FIPS mode. Its a piece of cake. Create a Web Server instance called https-test on test.sun.com.

$cd /export1/ws/https-test/config

Edit server.xml to have <ssl/> element in the listener.

$rm \*.db


Initliaze NSS Database with password "test" lets say. This is necessary because if you enable FIPS using modutil, it won't allow us to use NSS database without password.
$../../bin/certutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: test
Re-enter password: test

Create a self-signed certificate (for ease of use). You can also generate CSR and get server certificate from CA and install it in Web Server.
$../../bin/certutil -S -n "Server-Cert" -s "CN=test.sun.com" -x -t "CP,CP,CP" -d .
Enter Password or Pin for "NSS Certificate DB": test
Enter Password or Pin for "NSS Certificate DB": test

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*|

Finished.  Press enter to continue:


Generating key.  This may take a few moments...

Start the server it works.
$../bin/startserv
Sun Java System Web Server 7.0U4 B10/20/2008 12:12
Please enter the PIN for the "internal" token: test
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:3333 ready to accept requests
info: CORE3274: successful server startup
$../bin/stopserv
server has been shutdown

Enable FIPS using modutil :
$su
Password:
#/usr/sfw/bin/modutil -fips true  -dbdir .

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Using database directory ....
FIPS mode enabled.

# control D to come back to normal user

Start the server. It works !!

$../bin/startserv
Sun Java System Web Server 7.0U4 B10/20/2008 12:12
Please enter the PIN for the "NSS FIPS 140-2 Certificate DB" token: test
security: CORE1296: Token associated with server certificate [Server-Cert] cannot support PKCS#11 bypass
security: CORE1295: PKCS#11 bypass has been disabled because the current configuration cannot support bypass
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.]
info: HTTP3072: http-listener-1: https://test.sun.com:3333 ready to accept requests
info: CORE3274: successful server startup

Note If you are using Admin GUI/CLI you need to use pull-config CLI to pull these changes into Admin Server.

If you're running in FIPS mode, you need to set a password. It's a FIPS requirement that needs to be enforced when FIPS is enalbed by any FIPS compliant module.

In FIPS compliant mode you're password also should be of the form:

- The password must be at least 7 characters long.
- The password must consist of characters from three or more character classes.  We define five character classes: digits (0-9), ASCII lowercase letters, ASCII uppercase letters, ASCII  non-alphanumeric characters (such as space and punctuation marks), and non-ASCII characters.  If an ASCII uppercase letter  is the first character of the password, the uppercase letter is not counted toward its character class.  Similarly, if a digit is the last character of the password, the digit is not counted toward its character class.

If you are interested in FIPS compliance please review the security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf


About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today