Good Evening, I have a issue while enabling the FIPS mode in Tomcat9 for windows where it throws me an error "Failed to enter fips mode". Below are the detail explanation and content. Sorry for the length but I am trying to provide all of the relevant details in hopes that the solution to this issue will be easily identifiable.
*Method 1:* Software Specifications: Tomcat version - 9.0.34 Openssl version - 3.0.2 OS - Windows Server 2019 64-bit I have installed the openssl version (3.0.2) along with the FIPS Module installation as per the steps mentioned in the wiki ( https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 ). The openssl 3.0.2 and fips module got installed successfully. [image: openssl version.PNG] Post installation of Openssl, I tried enabling the FIPS mode in tomcat9, For that I have performed: 1. Added the FIPSMODE="on" for APR listener in the server.xml of Tomcat9. 2. Restarted the Tomcat server. 3. But FIPS Mode was not enabled. [image: Fipsmode server xml.PNG] [image: fips error1.PNG] *Method 2:* I researched on the web and found a few links and references for enabling the FIPS mode in tomcat, but that is for the older version of openssl(i.e 1.0.2l), where they are also downloading the OpenSSL FIPS Object Module 2.0.16 as external package and building it with tcnative library. The steps are: Building the OpenSSL Building APR Building Tomcat native library. Adding the FIPSMode="on" for the APR listener. The link of the reference: https://www.ysofters.com/2017/07/25/building-and-using-fips-capable-openssl-in-apache-tomcat/ I followed the same steps and tried building the tomcat native library except omitting the FIPS Object module build setup, since in our case FIPS FOM is integrated with openssl 3.0 . The versions of the modules i used: OPENSSL 3.0.2 APR version 1.7.0 Tomcat Native library 1.2.32 I have successfully built the tomcat native library and tried putting it in the bin folder and restarted the tomcat service. But there i get an another error message stating "FIPS was not available to tcnative at build time". [image: fips error.PNG] There was a switch or parameter which is being passed to build tcnative along with FIPS, When i tried building the tcnative with that parameter, i get an error. [image: native error.PNG] The command that i used for building tcnative is: nmake -f NMAKEMakefile BUILD_CPU=x64 WITH_APR="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\apr-1.7.0" WITH_OPENSSL="C:\temp\Rupesh\tomcat-native-1.2.32-src.tar\tomcat-native-1.2.32-src\native\srclib\deps-x64\openssl-3.0.2" APR_DECLARE_STATIC=1 OPENSSL_NEW_LIBS=1 WITH_FIPS=1 Without the WITH_FIPS=1 parameter the tcnative is getting built successfully. So these are the findings i have made. Is there any way to overcome this issue? Please do let me know if there are any other option or ways to resolve this error(To enable FIPS mode in Tomcat9). Thanks, Rupesh P.
