Version History
| Version | Date | Modified By | Description |
|---|---|---|---|
| 1.0 | 11/29/2018 | Minh-Hai Nguyen | Initial Version |
| Table of Contents |
|---|
- CONNECT is deployed on Weblogic server. Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS
Configure FIPS Mode
Configure JAVA Security Policy:
- Back up java.security in $JAVA_HOME/jre/lib/security
- cp java.security java.security.non_fips
- Edit java.security file in $JAVA_HOME/jre/lib/security.
- Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the
java.securityproperties file:Code Block language xml title java.security security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=com.rsa.jsse.JsseProvider security.provider.3=sun.security.provider.Sun
- Use no restriction on cryptographic strengths by commenting out
- crypto.policy=unlimited
- Replace default jks with pkcs12
- keystore.type=pkcs12
- Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in the
Convert JKS into PKCS12 Keystore
- keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
- keytool -importkeystore -srckeystore cacerts.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore cacerts.p12
Modify CONNECT Property
- Modify truststore.properties as shown below:
Code Block title truststore.properties org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.truststore.file=cacerts.p12
- Modify signature.properties
Code Block title signature.properties org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin org.apache.ws.security.crypto.merlin.keystore.type=pkcs12 org.apache.ws.security.crypto.merlin.keystore.password=changeit org.apache.ws.security.crypto.merlin.file=gateway.p12
Load Weblogic FIP library
- Backup and edit $WL_HOME/bin/setDomainEnv.sh
- Add new PRE_CLASSPATH variable above WL_HOME variable as shown below. Make sure to use right path for your environment. In this case, our weblogic server locates under /nhin/server/wls1221
Code Block title setDomainEnv.sh PRE_CLASSPATH="/nhin/server/wls1221/wlserver/server/lib/jcmFIPS.jar:/nhin/server/wls1221/wlserver/server/lib/sslj.jar:${PRE_CLASSPATH}" export PRE_CLASSPATH WL_HOME="/nhin/server/wls1221/wlserver" - Append the following entry to NHIN_PRO variable inside setDomainEnv.sh as shown below
-Dweblogic.security.allowCryptoJDefaultPRNG=true
- -Dweblogic.security.allowCryptoJDefaultJCEVerification=true
Code Block title NHIN_PRO EXT_POST_CLASSPATH="/nhin/server/connectProperties" export EXT_POST_CLASSPATH NHIN_PRO="-Dlog4j.configuration=file:${EXT_POST_CLASSPATH}/log4j.properties -Dweblogic.log.Log4jLoggingEnabled=true -Xmx8000m -Dnhinc.properties.dir=${EXT_POST_CLASSPATH} -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=${EXT_POST_CLASSPATH}/gateway.p12 -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=${EXT_POST_CLASSPATH}/cacerts.p12 -DCLIENT_KEY_ALIAS=gateway -Djava.security.egd=file:/dev/./urandom -DUseSunHttpHandler=true -Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true -Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true -Djavax.enterprise.resource.xml.webservices.security.level=FINE -Djavax.enterprise.resource.webservices.jaxws=FINE -Dweblogic.security.allowCryptoJDefaultPRNG=true -Dweblogic.security.allowCryptoJDefaultJCEVerification=true -Djavax.net.debug=all" export NHIN_PRO JAVA_OPTIONS="${JAVA_OPTIONS} ${NHIN_PRO} " export JAVA_OPTIONS
- Add new PRE_CLASSPATH variable above WL_HOME variable as shown below. Make sure to use right path for your environment. In this case, our weblogic server locates under /nhin/server/wls1221
...
- Enable Weblogic in FIPS Mode (https://docs.oracle.com/middleware/1221/wls/SECMG/fips.htm#SECMG771)
- CONNECT Developer Forums (connectopensource.org)
- Deploying CONNECT to WebLogic
- https://connectopensource.atlassian.net/wiki/x/I4Ch (Connection Validation Suite)Validating CONNECT Installation