7 Replies Latest reply on Aug 24, 2017 5:04 PM by jewellgm

FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

longshot Aug 23, 2017 1:33 PM

We are attempting to configure Wildfly 9.0.2 with a FIPS compliant SSL using TLSv1,2 with java 1.8

So, we are using NSS with Wildfly in a windows environment. The instructions we followed were a little old

but can be found here starting with section 2.2.8 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#configure-ssl-fips-rhel6

Chapter 2. Securing the Server and Its Interfaces - Red Hat Customer Portal

These instructions used TLSv1.1 as the enabled protocol. So when I first ran this I followed the instructions and used TLSv1.1.

Everything seemed to work properly, when I restarted the server, I was able to use https. So then I found out we needed to use TLSv1.2

Seemed like a trivial difference. Ran through the same instructions just used TLSv1.2 instead of TLSv1.1. Restarted the server and it doesn't seem to work.

If I try to connect to https I get an error. Wildfly doesn't seem to be complaining about anything, it just doesn't seem to be working.

I'm guessing that I'm missing something in the configuration, but I don't know what.

Can anybody help?

1. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

jewellgm Aug 24, 2017 8:58 AM (in response to longshot)

Did you see the warning near the top of the link that you provided? It says that TLS v1.2 isn't supported on the Oracle JDK in FIPS mode.
Actions
2. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

longshot Aug 24, 2017 10:24 AM (in response to jewellgm)

I did not actually see that. I only just found out we needed to use TLSv1.2. Do you know if there is anything other than NSS that could be used that wouldn't have this issue?
Or am I just screwed?
Actions
3. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

jewellgm Aug 24, 2017 11:43 AM (in response to longshot)

Have you researched SunJSSE that is provided with Java 8? It supports FIPS and TLS 1.2. I'm not aware of any detailed documentation on configuring it with WildFly, but a lot of the documentation in the page you linked to would also apply here. Obviously, pointing to the NSS configuration file would need to change, but configuring the different subsystems within Wildfly would not.

You may also need to install JCE (Java Cryptography Extension) which can be downloaded directly from Oracle. Export restrictions apply when using this library!

FIPS 140 Compliant Mode for SunJSSE
Actions
4. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

longshot Aug 24, 2017 12:18 PM (in response to jewellgm)

I tried adding the SunPKCS11-NSS to to that then moving the provider I added based on the original documentation to the bottom of the file as that looks like its still needed.
It also looks like I also need to add in the class for the provider and that it is part of the nss?
But I don't know what the class name would be.
So currently I'm looking for some "configuration for dummies" to try to make any kind of forward progress.
Actions
5. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

longshot Aug 24, 2017 12:50 PM (in response to longshot)

Upon further review, I don't see how this is any different really than my original configuration. Because I think all that is needed are the two lines one of which was the SunPKCS11 provider. And based on the link you provided I don't see where it states that TLSv1.2 would work. Are we not still using the sun provider's algorithms?
Actions
6. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

jewellgm Aug 24, 2017 2:29 PM (in response to longshot)

In the Mozilla NSS configuration, you added a provider, and modified an existing provider to the java.security file. The one that you added (that references the NSS configuration file) can be removed entirely. The other entry, that you modified, needs to be changed again. The directions for NSS say to change the internal SSL provider with the following parameter:

SunPKCS11-nss-fips

For using JSSE, you need to change that to simply "SunPKCS11-NSS".

SunPKCS11 is the provider class, and "NSS" specifies an instance name for the class. Take a look at JDK 8 PKCS#11 Reference Guide for more details on configuring the provider. Sections 2.2 and 2.3, in particular, seem to provide good information.

Edit: It looks like that article just configures JSSE to utilize Mozilla NSS. I don't know whether the strong SunJCE can support what you need, but it may be worth researching that. If it does, then the JSSE configuration would need to point to SunJCE.
Actions
7. Re: FIPS compliant SSL with Wildfly 9.0.2 using TLSv1.2

jewellgm Aug 24, 2017 5:04 PM (in response to jewellgm)

One lat suggestion. There's a cyptographic library called Bouncy Castle that is FIPS 140-certified. You can try to use that as your SSL provider, and place the needed BC jars into the classpath. The website is: http://www.bouncycastle.org

There's a user's guide at: https://www.bouncycastle.org/fips/BCUserGuide.pdf

Section 2.2 (the bottom) describes how to configure the java.security file, including the classname of the provider.
Actions

Go to original post