1

I am trying to enable FIPS mode using NSS DB, openjdk11 and tomcat 9.

Configured --> java.security with security.provider.1=sun.security.pkcs11.SunPKCS11 /usr/share/tomcat/nss_pkcsll_fips.cfg --> Installed NSS DB using modutil --> configure https connector in server.xml with certificateKeystoreType="PKCS11"

Getting below error

25-Nov-2022 18:09:21.046 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [PKCS11] with path [/home/tomcat/.keystore] due to [PKCS11 not found]
        java.security.KeyStoreException: PKCS11 not found
                at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
                at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:186)
                at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
                at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
                at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
                at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
                at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:606)
                at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:77)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1048)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.base/java.lang.reflect.Method.invoke(Method.java:566)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
        Caused by: java.security.NoSuchAlgorithmException: PKCS11 KeyStore not available
                at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
                at java.base/java.security.Security.getImpl(Security.java:779)
                at java.base/java.security.KeyStore.getInstance(KeyStore.java:875)

Can anyone point me to the documentation to enable FIPS mode in tomcat9 with openJDK11

enable FIPS mode in tomcat9 with openJDK11

Suresh
  • 11
  • 3

0 Answers0