This step-by-step guide shows the way to smoothly build FIPS capable OpenSSL library for use in the FIPS 140-2 compliant Tomcat server on Windows machines.

What is FIPS 140-2?

The Federal Information Processing Standard 140-2 is a security standard published by the National Institute of Standards and Technology (NIST), covering specification of security requirements for implementing cryptographic modules. Cryptographic module may be either a library, a component of a product or application, or a complete product.

The specifications include e.g. a list of approved algorithms, module inputs and outputs, physical security, cryptographic key management and more areas related to the secure design.

NIST manages a list of FIPS 140-1 and FIPS 140-2 validated cryptographic modules, i.e. modules tested, validated and certified under the Cryptographic Module Validation Program. The complete list can be found here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

FIPS 140-2 compliant Tomcat

The compliance (unlike FIPS validation) means that only FIPS approved algorithms and validated modules are used in the product, but the product itself was not validated.

Apache Tomcat, an open source Java application server, can use two different implementations of the SSL/TLS protocol, and thus there are two options for achieving FIPS 140-2 compliance:

  • JSSE, the Java implementation – it is needed to have enabled only FIPS validated Java cryptographic providers along with the correct setting of the ciphers and algorithms in the Tomcat HTTPS connector
  • Apache Portable Runtime, the OpenSSL implementation – if FIPS 140-2 is supported by the linked OpenSSL library, so called FIPS Mode can be enabled in the Tomcat settings

OpenSSL FIPS Object Module

OpenSSL library is not FIPS validated. A special software component called OpenSSL FIPS Object Module was created instead.

OpenSSL being compiled with the OpenSSL FIPS Object Module embedded inside is so called FIPS capable OpenSSL. It provides the standard, non-FIPS API as well as a FIPS 140-2 Approved Mode, a setting in products using this library in which only FIPS 140-2 validated cryptography is used and non-FIPS approved algorithms are disabled.

Current version of OpenSSL FIPS Object Module is 2.0 and is compatible with standard OpenSSL 1.0.1 and 1.0.2 distributions.

Step zero: Prerequisites

For the whole following building process, the Developer Command Prompt for Visual Studio is required. It is one of the optional choices offered during VS installation. When installing VS, check the following option (example for VS 2015):

  • Programming languages\Visual C++\Common Tools for Visual C++ 2015

In case Visual Studio is already installed without Developer Command Prompt, you can add this feature by program modification:

Start -> Programs and Features -> Microsoft Visual Studio 2015 -> Change -> Modify

The following window should appear. Again, check the aforementioned option.

The guide was tested using Visual Studio Professional 2015. Both, the aforementioned option for the Developer Command Prompt for Visual Studio installation and batch files needed in the following process, may differ in other versions.

Step one: Getting the source codes

Download the Windows sources for:

Unpack:

  • Tomcat Native
  • OpenSSL FIPS Object Module to a directory outside Tomcat Native.
  • OpenSSL sources to tomcat-native-X\native\srclib\openssl
  • Apache Portable Runtime sources to tomcat-native-X\native\srclib\apr

Step two: Building the OpenSSL FIPS Object Module

Prerequisites:

  • Developer Command Prompt for Visual Studio
  • Extracted OpenSSL FIPS Object Module files
  • Perl installed and location added to the PATH system variable

Compilation (64-bit version):

  1. Open Developer Command Prompt:
    Start -> Developer Command Prompt for VS2015
  2. Add variables for desired environment:
    cd vc
    vcvarsall x64
    
  3. Navigate to the extracted OpenSSL FIPS Object Module sources:
    cd openssl-fips-X\
    
  4. Set needed variables:
    Set PROCESSOR_ARCHITECTURE=AMD64
    Set FIPSDIR=absolute\path\to\Openssl-fips-X
    
  5. [Optional] In case you use Cygwin Perl, you may encounter an error (“No rule for …”) during the build process. In order to prevent this issue, open the openssl-fips-X\util\mk1mf.pl file in text editor, find the first chop; command and add the following to the next row:
    s/\s*$//;
    
  6. Build the OpenSSL FIPS Object Module
    ms\do_fips
    

The compilation process for the 32-bit version:

cd vc
vcvarsall x86
cd openssl-fips-X\
Set PROCESSOR_ARCHITECTURE=x86
Set FIPSDIR=absolute\path\to\Openssl-fips-X
ms\do_fips

Step three: Building the FIPS capable OpenSSL

Prerequisites:

  • Developer Command Prompt for Visual Studio
  • Compiled FIPS module
  • OpenSSL 1.0.1 or 1.0.2 sources extracted in the tomcat-native-X\native\srclib\openssl folder
  • Perl installed and location added to the PATH system variable (note that Cygwin Perl may have issues with backslash in addresses)
  • NASM (Netwide Assembler)  installed and location added to the PATH system variable

Compilation (64-bit version):

  1. Open Developer Command Prompt:
    Start -> Developer Command Prompt for VS2015
  2. Add variables for desired environment:
    cd vc
    vcvarsall x64
    
  3. Navigate to the extracted OpenSSL sources:
    cd native\srclib\openssl\
    
  4. Configure and make:
    perl Configure VC-WIN64A fips --with-fipsdir=absolute\path\to\Openssl-fips-X
    ms\do_win64a
    nmake -f ms\nt.mak
    

The compilation process for the 32-bit version:

cd vc
vcvarsall x86
cd native\srclib\openssl\
perl Configure VC-WIN32 fips --with-fipsdir=absolute\path\to\Openssl-fips-X
ms\do_nasm
nmake -f ms\nt.mak

Version check:

FIPS capable OpenSSL contains information about this fact in its version info. Check the version of your compiled OpenSSL library:

Step four: Building APR

Prerequisites:

  • Developer Command Prompt for Visual Studio
  • Apache Portable Runtime sources extracted in the tomcat-native-X\native\srclib\apr folder

Compilation (64-bit version):

  1. Open Developer Command Prompt:
    Start -> Developer Command Prompt for VS2015
  2. Add variables for desired environment:
    cd vc
    vcvarsall x64
    
  3. Navigate to the extracted APR sources:
    cd native\srclib\apr\
    
  4. Build Apache Portable Runtime:
    nmake -f NMAKEmakefile BUILD_CPU=x64 APR_DECLARE_STATIC=1
    nmake -f NMAKEmakefile BUILD_CPU=x64 APR_DECLARE_STATIC=1 install
    

The compilation process for the 32-bit version:

cd vc
vcvarsall x86
cd native\srclib\apr\
nmake -f NMAKEmakefile BUILD_CPU=x86 APR_DECLARE_STATIC=1
nmake -f NMAKEmakefile BUILD_CPU=x86 APR_DECLARE_STATIC=1 install

By default, the compiled files should appear in C:\include\ and C:\lib\ folders.

Step four and a half: Cleaning the mess

It is recommended to create an appropriate file system structure before proceeding to the compilation of the Tomcat Native library.

Create the following folders:

  • deps
  • deps\openssl
  • deps\openssl\lib
  • deps\openssl\include
  • deps\apr
  • deps\apr\lib
  • deps\apr\include

And copy the following files:

  • native\srclib\openssl\out32\openssl.exe to deps\openssl
  • native\srclib\openssl\out32\ssleay32.lib, native\srclib\openssl\out32\libeayfips32.lib and native\srclib\openssl\out32\libeaycompat32.lib to deps\openssl\lib
  • content of native\srclib\openssl\inc32\ to deps\openssl\include
  • C:\lib\apr-1.lib to deps\apr-1\lib
  • content of C:\include\apr-1\ to deps\apr\include

Step five: Building Tomcat Native library

Prerequisites:

  • Developer Command Prompt for Visual Studio
  • Compiled FIPS capable OpenSSL and APR
  • Java installed and JAVA_HOME system variable leading to the location set

Compilation (64-bit version):

  1. Open Developer Command Prompt:
    Start -> Developer Command Prompt for VS2015
  2. Add variables for desired environment:
    cd vc
    vcvarsall x64
    
  3. Navigate to the extracted Tomcat Native sources:
    cd tomcat-native-X\native\
    
  4. Set needed variables:
    Set CPU=X64
    Set FIPSDIR=absolute\path\to\Openssl-fips-X
    
  5. Build FIPS capable Tomcat Native library
    nmake -f NMAKEMakefile WITH_APR=path\to\deps\apr WITH_OPENSSL=path\to\deps\openssl APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] WITH_FIPS=1
    

The compilation process for the 32-bit version:

cd vc
vcvarsall x86
cd tomcat-native-X\native\
Set CPU=X86
Set FIPSDIR=absolute\path\to\Openssl-fips-X
nmake -f NMAKEMakefile WITH_APR=path\to\deps\apr WITH_OPENSSL=path\to\deps\openssl APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] WITH_FIPS=1

Compiled files should appear in the tomcat-native-X\native\WINXP_X64_DLL_RELEASE or tomcat-native-X\native\WINXP_X86_DLL_RELEASE folder.

Tomcat settings

Now that we have FIPS capable Tomcat Native library, the last action needed is the configuration of Tomcat to use the FIPS validated implementation.

  1. Copy the compiled tcnative-1.dll to your tomcat\bin folder.
  2. In the tomcat\conf\server.xml file edit following tags:
    Enable FIPS Mode for the APR listener:

    <Listener
        className="org.apache.catalina.core.AprLifecycleListener"
        SSLEngine="on"
        FIPSMode="on"
    />
    

    Configure the HTTPS connector to use Native (OpenSSL) implementation of SSL/TLS protocol:

    <Connector
        protocol="org.apache.coyote.http11.Http11AprProtocol"
        …
    />
    
  3. Restart the Apache Tomcat service

And that’s it! Your Tomcat is now using only FIPS approved algorithms and FIPS validated implementations.

Highest tested versions

This guide was tested with the following component versions:

  • Apache Portable Runtime 1.5.2
  • OpenSSL 1.0.2l
  • OpenSSL FIPS Object Module 2.0.16
  • Tomcat Native 1.2.12

Sometimes you may need to setup Continuous Integration server to build VS solutions without installing VisualStudio there. But MSBuild is not able to build all solution, you’ve created on your local machine.

The first error you can start getting will be something like:

The imported project ” C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v12.0\WCF\ Microsoft.VisualStudio.ServiceModel.targets” was not found.

Solution is quite simple:

  • Copy targets from your local machine to MSBuild folder on CI server.

Unfortunately this doesn’t solve all problems. MSBuild will keep throwing exceptions. This time it will be about missing dll:

Could not load file or assembly ‘Microsoft.VisualStudio.ServiceModel.Core, Version=11.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies.

This time solution will require few more steps:

  • Find the missing dll on your local machine and copy it to the same location on your CI server. It can look like “c:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\Microsoft.VisualStudio.ServiceModel.dll”.
  • Install this dll into GAC: open “Developer Command Prompt for VS2013”, go into directory with dll and register it to the GAC using command “gacutil.exe -i Microsoft.VisualStudio.ServiceModel.Core.dll”

gac

When all these steps are done, MSBuild will be able to build your solution successfully.

Qt Installer Framework is a quite new framework which is currently still in development. The current version contains set of tools and utilities to create installers. The most significant feature is that the framework itself is multiplatform, it supports Windows, Mac OS X and Linux.

Great feature of QT Installer Framework is that it can download the required files from the server. That means it is not required to provide files with the installer. It works with the so called “repositories”. Thanks to this it is also able to update the files without having to download the installer again, because it creates maintenance tool which can update or uninstall the files. However the documentation is not perfect, it is missing a lot of details.

The framework is an open source project. It is built on top of the Qt (it requires static built of Qt).

The framework is really easy to use. For the basic features the user needs to know to work with XML, that is all. For advanced features the knowledge of javascript (QtScript) is required (C++ might be required for the most advanced features).

Usage

Whole installer creation process starts with creating the required folder structure.

Screen Shot 2015-01-28 at 09.16.11

There are two main folders. The config and the packages folder.

Configuration

The config folder contains the installer configuration file (config.xml) and images used in the installer. There are various things that can be configured – Supported Configuration Settings. This is the example what the configuration file could look like:

<?xml version="1.0" encoding="UTF-8"?>
<Installer>
 <Name>YSoft SafeQ Mac Client</Name>
 <Version>4.3.0</Version>
 <Title>YSoft SafeQ Mac Client Installer</Title>
 <Publisher>Y Soft</Publisher>
 <ProductUrl>http://www.ysoft.com</ProductUrl>
 <TargetDir>@HomeDir@/YSoft</TargetDir>
 <AllowSpaceInPath>true</AllowSpaceInPath>
 <InstallerApplicationIcon>ysoft_96</InstallerApplicationIcon>
 <InstallerWindowIcon>ysoft_96_32x32</InstallerWindowIcon>
 <Watermark>modern-wizard.bmp</Watermark>
 <WizardStyle>Aero</WizardStyle>
</Installer>

Packages

The second folder is the package folder. It contains all components that will be installed by the installer. Every component consists of two folders, the data and the meta folder.

The data folder contains all the files that will be installed on the target machine. Installer archives all data to the 7z format and extracts it on installation.

The meta folder contains configuration file(package.xml) for the component and the installation script that will be called when the component is loaded.

This is the example file of component configuration file

<?xml version="1.0" encoding="UTF-8"?>
<Package>
 <DisplayName>CUPS Backend</DisplayName>
 <Description>CUPS Backend</Description>
 <Version>4.3.0</Version>
 <ReleaseDate>2015-01-23</ReleaseDate>
 <Default>true</Default>
 <Script>installscript.js</Script>
 <ForcedInstallation>true</ForcedInstallation>
 <RequiresAdminRights>true</RequiresAdminRights>
</Package>

and here is the full list of possible configuration values – Summary of Package Information File Settings.

The next file is the installation script file (installscript.js). The script is called when the installer is executed and the component is loaded. The script can add new installer wizard pages, prompt user for custom path for the component etc. This is example of a script that extracts component to the /tmp folder and moves it to the Application. Then it adds new item (log out checkbox) to the final page of the installer (the page items or pages have to be designed in Qt designer).

function Component(){
	//Connect signals to functions
	component.loaded.connect(this, componentLoaded);
	installer.finishButtonClicked.connect(this, finishClicked);
}

Component.prototype.createOperationsForArchive = function(archive){
	//Extract and move .app file
	component.addOperation("Extract", archive, "/tmp");
	component.addElevatedOperation("Execute","mv", "/tmp/YSoft\ SafeQ\ Client.app", "/Applications", 
								   "UNDOEXECUTE", "rm", "-rf", "/Applications/YSoft\ SafeQ\ Client.app");
}

componentLoaded = function(){
	//If this is installer load checkbox from .ui file
	if(installer.isInstaller()){
		installer.addWizardPageItem(component, "LogOutCheckBoxForm", QInstaller.InstallationFinished);	
	}
}

finishClicked = function(){
	if(!component.installed)
		return;
	//If the installation was succesful, let the user log out
	if(installer.isInstaller() && installer.status == QInstaller.Success){
		var isLogOutChecked = component.userInterface("LogOutCheckBoxForm").LogOut.checked;
        if (isLogOutChecked) {
			//Todo - logout
		}
	}
}

Here is the documentation for the Component scripting.

The installer is created by executing the Qt Installer tool

binarycreator -c config/config.xml -p packages installer

where -p is path to the packages folder and -c is path to the config.xml file. The last part is the name of the installer. 

This is the look of the final installer on Mac OS X:

Screen Shot 2015-01-28 at 09.48.00

It’s quite easy to install Docker on Windows. Just download installer and follow instructions.

You might encounter following error message when starting Docker image: VT-X is not available.

hyperv-docker-vbox-problem

The cause of this failure is enabled Hyper-V Windows Feature. We described this issue in previous article.

Here is the quick fix.

Search for “windows feature” and open “Turn Windows features on or off
turn-off-windows-feature

Search for “Hyper-V” in Windows features and uncheck it.

hyper-v-disableClick OK and reboot the machine.

VirtualBox is able to host 64bit guest OS on Windows. That’s useful for testing various platforms.

The trouble begins when you turn on Hyper-V Windows Feature. It might happen by installing some software or update. When Hyper-V is enabled then it’s not possible to create new guests with 64bit OS and it’s not possible to boot anything with 64bit kernel created before this feature was turned on.

In order to make 64bit guests working again you’ll need to turn off Hyper-V feature.

Search for “windows feature” and open “Turn Windows features on or off
turn-off-windows-feature

Search for “Hyper-V” in Windows features and uncheck it.

hyper-v-disableClick OK and reboot the machine. 64bit OS guests start working again.

Virtual environment is essential component of Python world. You can isolate different version of packages into separate environments.

How to set up virtualenv?

Install Python and virtualenv package by pip:

pip install virtualenv

python-insltall-virtualenv

Create directory which will hold the virtual environment (e.g. pyenv34) and initialize it:

virtualenv --system-site-packages pyenv34

python-setup-virtualenv

You can uses system-site-packages option to tell virtualenv to inherit system packages from system installation of Python.

The next step is to activate environment:

.\pyenv34\Scripts\activate.ps1

pyenv-activate

Your command prompt will change and you will see the name of virtual environment in the command line.

Now you can install, uninstall packages by pip and everything will be isolated in the virtual environment directory.

E.g. install ipython

virtual-env-use

It’s time to import antigravity 🙂

pyenv-antigravity

Sometimes it is necessary to work only with text console.

Git provides rich command line interface, but browsing history is little bit cumbersome.

If you like command line tools and email client mutt then there is awesome tool for you: tig.

tig is text mode interface for git.

Just enter directory with cloned git repo and type:

tig

tig-example

Quick navigation:

  • Enter – show details
  • Tab – switch window pane
  • q – quit

You can find more information at http://jonas.nitro.dk/tig/manual.html.

This tool is available for Mac and Linux. Windows version is available in Cygwin.