Version History
Version | Date | Modified By | Description of Modification |
---|---|---|---|
1.0 | 12/19/2016 | Minh-Hai Nguyen | Initial |
2.0 | 11/28/2018 | Minh-Hai Nguyen | Update to use standalone.xml and troubleshooting steps |
2.1 | 01/07/2019 | Minh-Hai Nguyen | Add JVM arguments |
...
- JBoss EAP 7.0.0.GA is unpackaged, and a ManagementRealm administrative user exists.
- The "nss.x86_64" package is installed via the package manager.
- CONNECT is deployed on the server. Make sure the Connection Validation Suite runs successfully before attempting to configure FIPS.
- Deploy the latest version of CONNECT to the the server. Follow the JBOSS EAP 7 Deployment Instruction
- Connection Validation Suite instruction: https://connectopensource.atlassian.net/wiki/x/I4ChValidation Test Suite
NSS Configuration
Prepare the Database Configuration File and Directories
...
- Navigate to {JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main/
- To convert gateway.jks to PKCS12 format, execute the following: keytool -importkeystore -srckeystore gateway.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore gateway.p12
- To import the cert keypair into the FIPS database, execute the following:pk12util -i gateway.p12 -n gateway -d /nhin/nss/fips/db
Modify Java.securityby editing ${JAVA_HOME}/jre/lib/security/java.security as follows:
...
- Disable nss_db first by executing the following: modutil -fips false -dbdir /nhin/nss/fips/db
- Execute the following: modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /nhin/nss/fips/db/
Module Setup - org.connectopensource.configuration
Navigate to folder ${JBOSS_HOME}/modules/system/layers/base/org/connectopensource/configuration/main.
Edit saml.properties and modify the following lines to reflect the name and password of the key in the NSS database:
...
Code Block |
---|
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=PKCS11
org.apache.ws.security.crypto.merlin.keystore.provider=SunPKCS11-nss-fips
org.apache.ws.security.crypto.merlin.keystore.password=changeit
org.apache.ws.security.crypto.merlin.truststore.file= |
Server Configuration: JAVA_OPTS
- In the standalone configuration file ${JBOSS_HOME}/bin/standalone.conf, append the following:
...
Open ${JBOSS_HOME}/standalone/configuration/standalone-full.xml and do the following:
1. Replace https-listener under subsystem/undertow:
Code Block |
---|
<https-listener name="https" socket-binding="connect" security-realm="ApplicationRealm" verify-client="REQUIRED"/> |
...
Code Block |
---|
<https-listener name="https" enabled-protocols="TLSv1.1" enabled-cipher-suites="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA" verify-client="REQUIRED" security-realm="ApplicationRealm" socket-binding="connect"/> |
2. Replace security realm under management/security-realms:
Code Block | ||
---|---|---|
| ||
<security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="modules/system/layers/base/org/connectopensource/configuration/main/gateway.jks" relative-to="jboss.home.dir" keystore-password="changeit" alias="gateway"/> </ssl> </server-identities> <authentication> <truststore path="modules/system/layers/base/org/connectopensource/configuration/main/cacerts.jks" relative-to="jboss.home.dir" keystore-password="changeit"/> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> |
with this:
Code Block | ||
---|---|---|
| ||
<security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore provider="PKCS11" keystore-password="<nss_db_password>" alias="gateway"/> </ssl> </server-identities> <authentication> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> |
Verify FIPS Installation:
The following steps verify that CONNECT has been set up to run in FIPS mode. Before beginning, make sure the application server is not running:
- Disable FIPS mode: modutil -fips false -dbdir /nhin/nss/fips/db
Restart the Jboss server. During startup, you should be given this error message and the server should not start:
Code Block title FIPS is not available 10:48:22,845 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final-redhat-1 10:48:23,069 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final-redhat-1 10:48:23,176 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: JBoss EAP 7.0.0.GA (WildFly Core 2.1.2.Final-redhat-1) starting 10:48:23,287 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.as: org.jboss.msc.service.StartException in service jboss.as: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.ProviderException: NSS module not available: fips at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:272) at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:224) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.getProvider(ProviderList.java:233)
- Enable FIPS mode: modutil -fips true -dbdir /nhin/nss/fips/db
- Try to start the server again. It should start this time.
- Deploy CONNECT and make sure the validation suite can be executed successfully.
...
Solution: Try either of one of those approaches:
- Add the following line to $JBOSS_HOME/bin/standalone.conf
- JAVA_OPTS="$JAVA_OPTS -Djdk.tls.useExtendedMasterSecret=false"
Future Document Enhancements
...
Links / Additional Reading
- CONNECT Developer Forums (connectopensource.org)
- Deploying to JBoss EAP7 (4.7) (atlassian.net)
- JBoss Issue Tracker (jboss.org)
- Mozilla NSS (mozilla.org)