Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version History

Version

Date

Modified By

Description of Modification

1.012/19/2016Minh-Hai NguyenInitial
2.011/28/2018Minh-Hai NguyenUpdate to use standalone.xml and troubleshooting steps
2.101/07/2019Minh-Hai NguyenAdd JVM arguments

...

  • JBoss EAP 7.0.0.GA is unpackaged, and a ManagementRealm administrative user exists.  
  • The "nss.x86_64" package is installed via the package manager.
  • CONNECT is deployed on the server.  Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS.

NSS Configuration

Prepare the Database Configuration File and Directories

...

  • Navigate to {JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/
  • To convert gateway.jks to PKCS12 format, execute the following: keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
  • To import the cert keypair into the FIPS database, execute the following:pk12util -i gateway.p12 -n gateway -d /nhin/nss/fips/db

Modify Java.securityby editing ${JAVA_HOME}/jre/lib/security/java.security as follows:

...

  • Disable nss_db first by executing the following: modutil -fips false -dbdir /nhin/nss/fips/db
  • Execute the following: modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /nhin/nss/fips/db/

Module Setup - org.connectopensource.configuration

Navigate to folder ${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main.

Edit saml.properties and modify the following lines to reflect the name and password of the key in the NSS database:

...

Server Configuration: JAVA_OPTS

  •  In the standalone configuration file ${JBOSS_HOME}/bin/standalone.conf, append the following:

...

Open ${JBOSS_HOME}/standalone/configuration/standalone-full.xml and do the following:

1. Replace https-listener under subsystem/undertow:

Code Block
<https-listener name="https" socket-binding="connect" security-realm="ApplicationRealm" verify-client="REQUIRED"/>

...


Code Block
<https-listener name="https" enabled-protocols="TLSv1.1" enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA" verify-client="REQUIRED" security-realm="ApplicationRealm" socket-binding="connect"/>


2. Replace security realm under management/security-realms:


Code Block
titleOld Security for Application Realm
<security-realm name="ApplicationRealm">
    <server-identities>
        <ssl>
            <keystore path="modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks" relative-to="jboss.home.dir" keystore-password="changeit" alias="gateway"/>
        </ssl>
    </server-identities>
    <authentication>
        <truststore path="modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks" relative-to="jboss.home.dir" keystore-password="changeit"/>
        <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization>
        <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>

with this:


Code Block
titleNew Security For Application Realm
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore provider="PKCS11" keystore-password="<nss_db_password>" alias="gateway"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>

Verify FIPS Installation:

The following steps verify that CONNECT has been set up to run in FIPS mode.  Before beginning, make sure the application server is not running:

  1. Disable FIPS mode: modutil -fips false -dbdir /nhin/nss/fips/db
  2. Restart the Jboss server.  During startup, you should be given this error message and the server should not start:

    Code Block
    titleFIPS is not available
    10:48:22,845 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final-redhat-1
    10:48:23,069 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final-redhat-1
    10:48:23,176 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: JBoss EAP 7.0.0.GA (WildFly Core 2.1.2.Final-redhat-1) starting
    10:48:23,287 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.as: org.jboss.msc.service.StartException in service jboss.as: Failed to start service
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
    Caused by: java.security.ProviderException: NSS module not available: fips
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:272)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
    at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
    at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
    at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)


  3. Enable FIPS mode: modutil -fips true -dbdir /nhin/nss/fips/db
  4. Try to start the server again. It should start this time.
  5. Deploy CONNECT and make sure the validation suite can be executed successfully.

...

Solution: Try either of one of those approaches:

  1. Add the following line to $JBOSS_HOME/bin/standalone.conf
    • JAVA_OPTS="$JAVA_OPTS -Djdk.tls.useExtendedMasterSecret=false"


Future Document Enhancements

...

Links / Additional Reading

  1. CONNECT Forums (connectopensource.org) 
  2. Deploying to JBoss EAP7 (4.7) (atlassian.net)
  3. JBoss Issue Tracker (jboss.org)
  4. Mozilla NSS (mozilla.org)