Hello,
I am in the process of updating https://github.com/amitlpande/tomcat-9-fips
page for version later than Java 8.
Ran into an issue:
1. Was looking the configure the additional bouncy castle providers in the
Java install itself by:
* Modifying the java.security file to add providers.
* Place the jars in the Java'e lib/ext directory.
2. However, from Java 9+, the lib/ext directory is no longer present
(https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B)
3. The alternate I attempted was to place the additional provider jars in
Tomcat's lib directory.
4. Create a java security properties file with:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
fips:BCFIPS
security.provider.3=sun.security.provider.Sun
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX
1. Launch Tomcat with JVM option
-Djava.security.properties=file:/path/to/java_security_properties_file
2. However, I noticed that these BC providers weren't getting loaded.
I see a comment from Chris here -
https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html
"I don't see any place in Tomcat to specify the JSSE provider. Perhaps we
should expose that to the administrator in some way."
Not sure if it's relevant here.
But wanted to know if there is any way to configure Tomcat for Java 9+ with
custom JSSE/JCE providers (with just config change) ? Maybe I missed something?
Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat
9, by registering a custom listener and adding providers there. Will soon
update the https://github.com/amitlpande/tomcat-9-fips for detailed steps.
Thanks,
Amit
