2

I have my Struts application running in tomcat version 5.0. I want to add OpenSSL FIPS 140-2 support to this application. I know there are settings into the server.xml which allows OpenSSL https connection. But unable to find oit anything specific to OpenSSL FIPS 140-2 compliance. I have following questions,

  1. Is there anything related with Java? that is, do we need to make any settings into Java runtime environment to add a compliance for FIPS 140-2?
  2. Does, just doing the settings for OpenSSL in tomcat server.xml would make it compliant with OpenSSL FIPS 140-2?
  3. Is there anything else? Like upgrading tomcat to latest version which has support for OpenSSL FIPS 140-2, if yes any information related to same?

I am pretty much new to OpenSSL and FIPS. Unable to find anything concrete related to Tomcat.

Rahul Borkar
  • 2,742
  • 3
  • 24
  • 38

1 Answers1

2

The changelogs are always a good place to start. Search for FIPS in the following:

You'll see you need at leat 6.0.36, 7.0.23 or 8.0.0. I'd recommend that you use the latest stable version of whichever major version you choose. For production, I'd recommend 7.0.x. For development, 8.0.x. (8.0.x is very, very close to production ready).

To your specific questions:

  1. If you are using OpenSSL to provide your https connections then there are no Java changes required.
  2. Yes.
  3. See above.
Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • Thanks a lot for your answer, Not able to get your answer for 1st question, are any changes required in java, basically answer is pretty much confusing as there is no first and then you say " there is Java changes required." Could you please clarify? Also, if you can modify the answer and post the changes required in more detail, that would really help me and others who are going to read this question. – Rahul Borkar May 29 '14 at 10:16