This step-by-step guide shows the way to smoothly build FIPS capable OpenSSL library for use in the FIPS 140-2 compliant Tomcat server on Windows machines.
What is FIPS 140-2?
The Federal Information Processing Standard 140-2 is a security standard published by the National Institute of Standards and Technology (NIST), covering specification of security requirements for implementing cryptographic modules. Cryptographic module may be either a library, a component of a product or application, or a complete product.
The specifications include e.g. a list of approved algorithms, module inputs and outputs, physical security, cryptographic key management and more areas related to the secure design.
NIST manages a list of FIPS 140-1 and FIPS 140-2 validated cryptographic modules, i.e. modules tested, validated and certified under the Cryptographic Module Validation Program. The complete list can be found here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
FIPS 140-2 compliant Tomcat
The compliance (unlike FIPS validation) means that only FIPS approved algorithms and validated modules are used in the product, but the product itself was not validated.
Apache Tomcat, an open source Java application server, can use two different implementations of the SSL/TLS protocol, and thus there are two options for achieving FIPS 140-2 compliance:
- JSSE, the Java implementation – it is needed to have enabled only FIPS validated Java cryptographic providers along with the correct setting of the ciphers and algorithms in the Tomcat HTTPS connector
- Apache Portable Runtime, the OpenSSL implementation – if FIPS 140-2 is supported by the linked OpenSSL library, so called FIPS Mode can be enabled in the Tomcat settings
OpenSSL FIPS Object Module
OpenSSL library is not FIPS validated. A special software component called OpenSSL FIPS Object Module was created instead.
OpenSSL being compiled with the OpenSSL FIPS Object Module embedded inside is so called FIPS capable OpenSSL. It provides the standard, non-FIPS API as well as a FIPS 140-2 Approved Mode, a setting in products using this library in which only FIPS 140-2 validated cryptography is used and non-FIPS approved algorithms are disabled.
Current version of OpenSSL FIPS Object Module is 2.0 and is compatible with standard OpenSSL 1.0.1 and 1.0.2 distributions.
Step zero: Prerequisites
For the whole following building process, the Developer Command Prompt for Visual Studio is required. It is one of the optional choices offered during VS installation. When installing VS, check the following option (example for VS 2015):
- Programming languages\Visual C++\Common Tools for Visual C++ 2015
In case Visual Studio is already installed without Developer Command Prompt, you can add this feature by program modification:
Start -> Programs and Features -> Microsoft Visual Studio 2015 -> Change -> Modify
The following window should appear. Again, check the aforementioned option.
The guide was tested using Visual Studio Professional 2015. Both, the aforementioned option for the Developer Command Prompt for Visual Studio installation and batch files needed in the following process, may differ in other versions.
Step one: Getting the source codes
Download the Windows sources for:
- Tomcat Native – http://tomcat.apache.org/download-native.cgi
- Apache Portable Runtime – https://apr.apache.org/download.cgi
- OpenSSL (1.0.1 or 1.0.2) – https://www.openssl.org/source/
- OpenSSL FIPS Object Module – https://www.openssl.org/source/
Unpack:
- Tomcat Native
- OpenSSL FIPS Object Module to a directory outside Tomcat Native.
- OpenSSL sources to tomcat-native-X\native\srclib\openssl
- Apache Portable Runtime sources to tomcat-native-X\native\srclib\apr
Step two: Building the OpenSSL FIPS Object Module
Prerequisites:
- Developer Command Prompt for Visual Studio
- Extracted OpenSSL FIPS Object Module files
- Perl installed and location added to the PATH system variable
Compilation (64-bit version):
- Open Developer Command Prompt:
Start -> Developer Command Prompt for VS2015 - Add variables for desired environment:
cd vc vcvarsall x64
- Navigate to the extracted OpenSSL FIPS Object Module sources:
cd openssl-fips-X\
- Set needed variables:
Set PROCESSOR_ARCHITECTURE=AMD64 Set FIPSDIR=absolute\path\to\Openssl-fips-X
- [Optional] In case you use Cygwin Perl, you may encounter an error (“No rule for …”) during the build process. In order to prevent this issue, open the openssl-fips-X\util\mk1mf.pl file in text editor, find the first chop; command and add the following to the next row:
s/\s*$//;
- Build the OpenSSL FIPS Object Module
ms\do_fips
The compilation process for the 32-bit version:
cd vc vcvarsall x86 cd openssl-fips-X\ Set PROCESSOR_ARCHITECTURE=x86 Set FIPSDIR=absolute\path\to\Openssl-fips-X ms\do_fips
Step three: Building the FIPS capable OpenSSL
Prerequisites:
- Developer Command Prompt for Visual Studio
- Compiled FIPS module
- OpenSSL 1.0.1 or 1.0.2 sources extracted in the tomcat-native-X\native\srclib\openssl folder
- Perl installed and location added to the PATH system variable (note that Cygwin Perl may have issues with backslash in addresses)
- NASM (Netwide Assembler) installed and location added to the PATH system variable
Compilation (64-bit version):
- Open Developer Command Prompt:
Start -> Developer Command Prompt for VS2015 - Add variables for desired environment:
cd vc vcvarsall x64
- Navigate to the extracted OpenSSL sources:
cd native\srclib\openssl\
- Configure and make:
perl Configure VC-WIN64A fips --with-fipsdir=absolute\path\to\Openssl-fips-X ms\do_win64a nmake -f ms\nt.mak
The compilation process for the 32-bit version:
cd vc vcvarsall x86 cd native\srclib\openssl\ perl Configure VC-WIN32 fips --with-fipsdir=absolute\path\to\Openssl-fips-X ms\do_nasm nmake -f ms\nt.mak
Version check:
FIPS capable OpenSSL contains information about this fact in its version info. Check the version of your compiled OpenSSL library:
Step four: Building APR
Prerequisites:
- Developer Command Prompt for Visual Studio
- Apache Portable Runtime sources extracted in the tomcat-native-X\native\srclib\apr folder
Compilation (64-bit version):
- Open Developer Command Prompt:
Start -> Developer Command Prompt for VS2015 - Add variables for desired environment:
cd vc vcvarsall x64
- Navigate to the extracted APR sources:
cd native\srclib\apr\
- Build Apache Portable Runtime:
nmake -f NMAKEmakefile BUILD_CPU=x64 APR_DECLARE_STATIC=1 nmake -f NMAKEmakefile BUILD_CPU=x64 APR_DECLARE_STATIC=1 install
The compilation process for the 32-bit version:
cd vc vcvarsall x86 cd native\srclib\apr\ nmake -f NMAKEmakefile BUILD_CPU=x86 APR_DECLARE_STATIC=1 nmake -f NMAKEmakefile BUILD_CPU=x86 APR_DECLARE_STATIC=1 install
By default, the compiled files should appear in C:\include\ and C:\lib\ folders.
Step four and a half: Cleaning the mess
It is recommended to create an appropriate file system structure before proceeding to the compilation of the Tomcat Native library.
Create the following folders:
- deps
- deps\openssl
- deps\openssl\lib
- deps\openssl\include
- deps\apr
- deps\apr\lib
- deps\apr\include
And copy the following files:
- native\srclib\openssl\out32\openssl.exe to deps\openssl
- native\srclib\openssl\out32\ssleay32.lib, native\srclib\openssl\out32\libeayfips32.lib and native\srclib\openssl\out32\libeaycompat32.lib to deps\openssl\lib
- content of native\srclib\openssl\inc32\ to deps\openssl\include
- C:\lib\apr-1.lib to deps\apr-1\lib
- content of C:\include\apr-1\ to deps\apr\include
Step five: Building Tomcat Native library
Prerequisites:
- Developer Command Prompt for Visual Studio
- Compiled FIPS capable OpenSSL and APR
- Java installed and JAVA_HOME system variable leading to the location set
Compilation (64-bit version):
- Open Developer Command Prompt:
Start -> Developer Command Prompt for VS2015 - Add variables for desired environment:
cd vc vcvarsall x64
- Navigate to the extracted Tomcat Native sources:
cd tomcat-native-X\native\
- Set needed variables:
Set CPU=X64 Set FIPSDIR=absolute\path\to\Openssl-fips-X
- Build FIPS capable Tomcat Native library
nmake -f NMAKEMakefile WITH_APR=path\to\deps\apr WITH_OPENSSL=path\to\deps\openssl APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] WITH_FIPS=1
The compilation process for the 32-bit version:
cd vc vcvarsall x86 cd tomcat-native-X\native\ Set CPU=X86 Set FIPSDIR=absolute\path\to\Openssl-fips-X nmake -f NMAKEMakefile WITH_APR=path\to\deps\apr WITH_OPENSSL=path\to\deps\openssl APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] WITH_FIPS=1
Compiled files should appear in the tomcat-native-X\native\WINXP_X64_DLL_RELEASE or tomcat-native-X\native\WINXP_X86_DLL_RELEASE folder.
Tomcat settings
Now that we have FIPS capable Tomcat Native library, the last action needed is the configuration of Tomcat to use the FIPS validated implementation.
- Copy the compiled tcnative-1.dll to your tomcat\bin folder.
- In the tomcat\conf\server.xml file edit following tags:
Enable FIPS Mode for the APR listener:<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" />Configure the HTTPS connector to use Native (OpenSSL) implementation of SSL/TLS protocol:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" … /> - Restart the Apache Tomcat service
And that’s it! Your Tomcat is now using only FIPS approved algorithms and FIPS validated implementations.
Highest tested versions
This guide was tested with the following component versions:
- Apache Portable Runtime 1.5.2
- OpenSSL 1.0.2l
- OpenSSL FIPS Object Module 2.0.16
- Tomcat Native 1.2.12
Click OK and reboot the machine.
