I am using Red Hat which provides the FIPS-enabled OpenSSL. I have been doing some more reading and it appears that I also now have to build the Tomcat Native libraries against APR and OpenSSL. It does not appear that Red Hat provides a pre-compiled version of these tc-native libraries.
On Fri, Feb 12, 2016 at 1:10 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Lesley, > > On 2/12/16 1:31 PM, Lesley Kimmel wrote: > > I am looking into how to enable FIPS in Tomcat. The way I interpret > > is that I can either use APR connectors with a FIPS-enabled OpenSSL > > or configure the java installation to utilize a 3rd party FIPS > > library (e.g. JSafe). Is that correct? > > Correct. > > There are some Linux package managers that already provide a > FIPS-capable OpenSSL library. I'm thinking specifically about Amazon > Linux which I'm wildly guessing is only available if you are running > in AWS. > > Other package managers may already have done the FIPS-related leg work > for you as well. > > Once you have a FIPS-capable library (be it OpenSSL or a FIPS-capable > JSSE implementation), configuring Tomcat to use it is fairly trivial. > > The nice part about Tomcat's use of OpenSSL is that Tomcat can be > configured to *fail* if FIPS-mode is not enabled. I don't believe the > same is true for an arbitrary JSSE implementation. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla+LjQACgkQ9CaO5/Lv0PC7mwCdEI5WjTW5IuY3h4tXbi4RCKxE > YikAoL28/wEkS+tz5/5zuukLGAE8c2JE > =cSFp > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
