7 Replies Latest reply on Nov 9, 2017 5:58 AM by mchoma

    Wildfly with bc-fips-1.0.0.jar

    longshot
    longshot Nov 2, 2017 10:32 AM

      I'm configuring Wildfly 9.0.1 to use FIPS SSL with the bouncy castle fips jar.

      I added the bc-fips-1.0.0.jar to <JDK_HOME>/jre/lib/ext and I updated the java.security policy in <JDK_HOME>/jre/lib/security/java.security.

      However, in order to turn on FIPS approved only mode on the jar, I need to call it programmatically from my application.

      As a quick test to see if I could do it, I dropped the jar in the lib directory of my deployment as well, but I know that's not the correct thing to do.

      Without the jar in my deployment's lib directory, I get a NoClassDefFoundException.

      So, I'm wondering how it should be configured?

      Create a module?  If so, how?  I would assume that I should remove the jar then from <HDK_HOME?/jre/lib/ext, but if I do, will the java.security work and the class be found from the security.provider listing?

        • 1. Re: Wildfly with bc-fips-1.0.0.jar
          mchoma
          mchoma Nov 2, 2017 3:17 PM (in response to longshot)

          Could you elaborate on "However, in order to turn on FIPS approved only mode on the jar, I need to call it programmatically from my application"

           

          Yes, if you need access to bouncy castle classes in your deployment, you should add module and depend on that module in you deployment-structure.xml of your deployment.

           

          For reference here is how I managed to run in FIPS Bouncy Castle on Wildfly 11 with Elytron. [JBEAP-8857] Elytron, unable to use FIPS BC for https - JBoss Issue Tracker

            • Actions
          • 2. Re: Wildfly with bc-fips-1.0.0.jar
            longshot
            longshot Nov 2, 2017 3:38 PM (in response to mchoma)

            Based on the security policy, fips approved only mode is turned on in one of two ways.

            1. If your java application has a security manager installed.

            2. If you turn it on yourself programmatically:

                 (e.g.             CryptoServicesRegistrar.setApprovedOnlyMode(true); )

             

            We went down the path of installing the Security Manager in java, but the risks that we can find and resolve all the issues involved with installing the security manager were too high, so we decided it would be easier to just turn it on programmatically.

             

            Now I haven't added a module myself, and I'm wondering should it go under the system area?  Seemed like the right thing if I'm adding the provider to java.security.

            Right now my jar is in <JRE_HOME>/lib/ext.  I'm assuming it should be removed from there once I add the new module.

            There is already an org/bouncycastle/main under the modules/system, so I was wondering should I add a fips under org/bouncycastle?

            These may be really stupid questions, but I'm a complete novice with Wildfly, so I'm not even sure where to look to find my answers.

             

            I saw by your configuration for the keystore that you have {cleartextpassword}  are you putting your actual password there or are you using a vault or anything?

            Are there any other options? 

              • Actions
            • 3. Re: Wildfly with bc-fips-1.0.0.jar
              mchoma
              mchoma Nov 3, 2017 2:34 AM (in response to longshot)

              1. Could you add link to security policy you are talking about? What exactly is that approved mode?

              2. Its fine you will have one jar in system (it is necessary because of java.security provider)and another jar in module. WildFly does not use hierarchical classloading module, which are you familiar from other AS [1].

              3. Yes org/bouncycaslte/fips is OK.

              4. Yes in my case I use just clearpassword. Yes you can use vault or credential store (since wildfly 11)

               

              [1] Class Loading in WildFly - WildFly 10 - Project Documentation Editor

                • Actions
              • 4. Re: Wildfly with bc-fips-1.0.0.jar
                longshot
                longshot Nov 3, 2017 8:12 AM (in response to mchoma)

                Here is the link on the bouncy castle site.  https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.0.pdf

                You can also find it on the NIST site here: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2768.pdf

                Certificate Detail - Cryptographic Module Validation Program | CSRC which gives you more details about the certification.

                If you look at section 1.2 Modes of operation, and 1.3 Module Configuration, it explainsFIPS approved only mode

                  • Actions
                • 5. Re: Wildfly with bc-fips-1.0.0.jar
                  longshot
                  longshot Nov 3, 2017 9:53 AM (in response to mchoma)

                  I'm really not clear on what I need to do for the modules.  Are you saying:

                  1. remove bc-fips-1.0.0.jar from jre/lib/ext?

                  2. Add module with bc-fips-1.0.0.jar and module.xml under <WILDFLY_DIR>/modules/system/layers/base to be accessible for the security provider?  If so, I tried this, and was unable to configure in any way that the application could find the security provider when it started

                  3. Add module with bc-fips-1.0.0.jar and module.xml under <WILDFLY_DIR>/modules/org/bouncycastle/main to be accessible by application.  Doing this and adding an optional dependency on the path that I needed to turn fips mode on, to the Manifest.MF of my ear did work. 

                   

                  I'm not sure what adding the module /putting the bc-fips-1.0.0.jar under system does for me.

                  Ideally I would have the jar in one place and configure what I need to for all to work with it.  If that's what you're saying to do, I'm not getting it.

                    • Actions
                  • 6. Re: Wildfly with bc-fips-1.0.0.jar
                    mchoma
                    mchoma Nov 9, 2017 2:59 AM (in response to longshot)

                    1. No

                    2. No

                    3. No

                     

                    You need jar in re/lib/ext because of providers to be registered properly in jvm.

                    You need jar in /modules/system/layers/base/org/bouncycastle/fips to your deployment to depend on that

                      • Actions
                    • 7. Re: Wildfly with bc-fips-1.0.0.jar
                      mchoma
                      mchoma Nov 9, 2017 5:58 AM (in response to mchoma)

                      I went through documents. Thank you for them.

                      CryptoServicesRegistrar.setApprovedMode(true) will switch the current thread of user control into approved mode

                      Note, this means you have to call this for each http request at least. But there could be another places where thread starts its work (timer ejb, async servlet, ... )

                      So seems to me running with security manger is safer to be really sure bc-fips runs in approved mode.

                       

                      Btw. I don't understand distinction between Table 7 and Table 8. Don't you know what non-FIPS mode could be in context of this document?

                        • Actions