4.9.4. Enable FIPS 140-2 Cryptography for SSL on Red Hat Enterprise Linux 6

Procedure 4.6. Enable FIPS 140-2 Compliant Cryptography for SSL

1. Create the database

   Create the NSS database in a directory own by the jboss user.

   Note

   The jboss user is only an example. You need to replace it with a user on your operating system.

   $ mkdir -p  /usr/share/jboss-as/nssdb
   $ chown jboss /usr/share/jboss-as/nssdb 
   $ modutil -create -dbdir /usr/share/jboss-as/nssdb
   

2. Create NSS configuration file

   Create a new text file with the name nss_pkcsll_fips.cfg in the /usr/share/jboss-as directory with the following contents:

   name = nss-fips
   nssLibraryDirectory=/usr/lib64
   nssSecmodDirectory=/usr/share/jboss-as/nssdb
   nssModule = fips
   

   The NSS configuration file must specify:
   • a name,
   • the directory where the NSS library is located, and
   • the directory where the NSS database was created as per step 1.
   If you are not running a 64bit version of Red Hat Enterprise Linux 6 then set nssLibraryDirectory to /usr/lib instead of /usr/lib64.

3. Enable SunPKCS11 provider

   Edit the java.security configuration file for your JRE ($JAVA_HOME/jre/lib/security/java.security) and add the following line:

   security.provider.1=sun.security.pkcs11.SunPKCS11  /usr/share/jboss-as/nss_pkcsll_fips.cfg
   

   Note that the configuration file specified in this line is the file created in step 2.
   Any other security.provider.X lines in this file must have the value of their X increased by one to ensure that this provider is given priority.

4. Enable FIPS mode for the NSS library

   Run the modutil command as shown to enable FIPS mode:

   modutil -fips true -dbdir /usr/share/jboss-as/nssdb

   Note that the directory specified here is the one created in step 1.
   You may get a security library error at this point requiring you to regenerate the library signatures for some of the NSS shared objects.

5. Change the password on the FIPS token

   Set the password on the FIPS token using the following command. Note that the name of the token must be NSS FIPS 140-2 Certificate DB.

   modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /usr/share/jboss-as/nssdb

   The password used for the FIPS token must be a FIPS compliant password.

6. Create certificate using NSS tools

   Enter the following command to create a certificate using the NSS tools.

   certutil -S -k rsa -n jbossweb  -t "u,u,u" -x -s "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY" -d /usr/share/jboss-as/nssdb

7. Configure the HTTPS connector to use the PKCS11 keystore

   Add a HTTPS connector using the following command in the JBoss CLI Tool:

   /subsystem=web/connector=https/:add(socket-binding=https,scheme=https,protocol=HTTP/1.1,secure=true)
   

   Then add the SSL configuration with the following command, replacing PASSWORD with the FIPS compliant password from step 5.

   /subsystem=web/connector=https/ssl=configuration:add(name=https,password=PASSWORD,keystore-type=PKCS11,
   cipher-suite="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
   TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
   TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
   TLS_ECDH_anon_WITH_AES_256_CBC_SHA")
   

8. Verify

   Verify that the JVM can read the private key from the PKCS11 keystore by running the following command:

   keytool -list -storetype pkcs11