Version History

Version	Date	Modified By	Description of Modification
1.0	12/19/2016	Minh-Hai Nguyen	Initial
2.0	11/28/2018	Minh-Hai Nguyen	Update to use standalone.xml and troubleshooting steps
2.1	01/07/2019	Minh-Hai Nguyen	Add JVM arguments

JBoss EAP 7.0.0.GA is unpackaged, and a ManagementRealm administrative user exists.
The "nss.x86_64" package is installed via the package manager.
CONNECT is deployed on the server. Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS.
- Deploy the latest version of CONNECT to the the server. Follow the JBOSS EAP 7 Deployment Instruction
- Connection Validation Suite instruction: https://connectopensource.atlassian.net/wiki/x/I4Ch Validation Test Suite

NSS Configuration

Prepare the Database Configuration File and Directories

...

Navigate to {JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/
To convert gateway.jks to PKCS12 format, execute the following: keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
To import the cert keypair into the FIPS database, execute the following:pk12util -i gateway.p12 -n gateway -d /nhin/nss/fips/db

Modify Java.securityby editing ${JAVA_HOME}/jre/lib/security/java.security as follows:

...

Disable nss_db first by executing the following: modutil -fips false -dbdir /nhin/nss/fips/db
Execute the following: modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /nhin/nss/fips/db/

Module Setup - org.connectopensource.configuration

Navigate to folder ${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main.

Edit saml.properties and modify the following lines to reflect the name and password of the key in the NSS database:

...

Server Configuration: JAVA_OPTS

In the standalone configuration file ${JBOSS_HOME}/bin/standalone.conf, append the following:

...

Open ${JBOSS_HOME}/standalone/configuration/standalone-full.xml and do the following:

1. Replace https-listener under subsystem/undertow:

Code Block
<https-listener name="https" socket-binding="connect" security-realm="ApplicationRealm" verify-client="REQUIRED"/>

...

Code Block

<https-listener name="https" enabled-protocols="TLSv1.1" enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA" verify-client="REQUIRED" security-realm="ApplicationRealm" socket-binding="connect"/>

2. Replace security realm under management/security-realms:

Code Block

title	Old Security for Application Realm

<security-realm name="ApplicationRealm">
    <server-identities>
        <ssl>
            <keystore path="modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks" relative-to="jboss.home.dir" keystore-password="changeit" alias="gateway"/>
        </ssl>
    </server-identities>
    <authentication>
        <truststore path="modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks" relative-to="jboss.home.dir" keystore-password="changeit"/>
        <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization>
        <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>

with this:

Code Block

title	New Security For Application Realm

<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore provider="PKCS11" keystore-password="<nss_db_password>" alias="gateway"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>

Verify FIPS Installation:

The following steps verify that CONNECT has been set up to run in FIPS mode. Before beginning, make sure the application server is not running:

Disable FIPS mode: modutil -fips false -dbdir /nhin/nss/fips/db

Restart the Jboss server. During startup, you should be given this error message and the server should not start:

Code Block

title	FIPS is not available

10:48:22,845 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final-redhat-1
10:48:23,069 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final-redhat-1
10:48:23,176 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: JBoss EAP 7.0.0.GA (WildFly Core 2.1.2.Final-redhat-1) starting
10:48:23,287 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.as: org.jboss.msc.service.StartException in service jboss.as: Failed to start service
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.ProviderException: NSS module not available: fips
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:272)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224)
at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)

Enable FIPS mode: modutil -fips true -dbdir /nhin/nss/fips/db
Try to start the server again. It should start this time.
Deploy CONNECT and make sure the validation suite can be executed successfully.

...

Solution: Try either of one of those approaches:

Add the following line to $JBOSS_HOME/bin/standalone.conf
JAVA_OPTS="$JAVA_OPTS -Djdk.tls.useExtendedMasterSecret=false"

Future Document Enhancements

...

Links / Additional Reading

Versions Compared

Old Version 5

New Version Current

Key

NSS Configuration

Prepare the Database Configuration File and Directories

Module Setup - org.connectopensource.configuration

Server Configuration: JAVA_OPTS

Verify FIPS Installation:

Future Document Enhancements

Links / Additional Reading

Page Comparison

Versions Compared

Old Version 5

New Version Current

Key

NSS Configuration

Prepare the Database Configuration File and Directories

Module Setup - org.connectopensource.configuration

Server Configuration: JAVA_OPTS

Verify FIPS Installation:

Future Document Enhancements

Links / Additional Reading