CONNECT Federal Information
Processing Standard (FIPS) 140-2
Compliance Manual
Version 2.2
CONNECT Release 2.4
21 April 2010
REVISION HISTORY
REVISION
DATE
1.0
05 January 2010
2.0
18 March 2010
2.1
12 April 2010
Updated post 2.4 release. Updated
hyperlink in section 6.1 and added additional
step to section 5.3.2.
2.2
21 April 2010
Updated SSL Certificate information in
section 5.3.4 (e).
CONNECT_FIPS_Manual
4/21/10
DESCRIPTION
Initial Release
Updated for Release 2.4
i
Release 2.4
TABLE OF CONTENTS
1.0
INTRODUCTION ................................................................................................... 1
PURPOSE ............................................................................................................. 1
SCOPE................................................................................................................. 1
DOCUMENT DESCRIPTION ..................................................................................... 1
1.1
1.2
1.3
2.0
REFERENCED DOCUMENTS.............................................................................. 1
3.0
OPEN SOURCE SOLUTIONS .............................................................................. 2
4.0
OTHER SITES ...................................................................................................... 3
5.0
FIPS SOLUTION WITH NSS 3.11.4...................................................................... 4
5.1
5.2
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
6.0
NIST CERTIFICATION ............................................................................................ 4
INTEGRATION INTO CONNECT ............................................................................. 4
STEPS REQUIRED TO CONFIGURE GLASSFISH FOR FIPS COMPLIANCE WITH NSS ..... 4
DOWNLOAD THE MOZILLA \ NSS MODULE .............................................................. 4
CREATE GLASSFISH DOMAIN WITH ENTERPRISE PROFILE ........................................ 5
LOAD TRUSTED CERTIFICATES INTO NSS STORES AND SET FIPS MODE .................. 8
CONFIGURE GLASSFISH TO USE THE NSS STORES ................................................. 9
DEPLOY CONNECT APPLICATIONS TO NSSDOMAIN .............................................. 10
VERIFY WHETHER GLASSFISH IS RUNNING WITH NSS KEYSTORES......................... 11
IMPORT CERTIFICATES TO NSS ..................................................................... 11
6.1
6.2
6.3
6.3.1
6.3.2
6.3.3
6.3.4
6.4
6.4.1
6.4.2
6.4.3
6.5
PREREQUISITES.................................................................................................. 11
TRANSFER OF THE CERTIFICATES ........................................................................ 11
SELF-CERTIFICATE ............................................................................................. 12
EXPORT DER ENCODED CERTIFICATES FROM EXISTING JKS STORES...................... 12
TRANSFORM INTO PEM ENCODED CERTIFICATES .................................................. 12
TRANSFORM INTO PKCS12 FORMATTING ............................................................. 12
IMPORT INTO THE NSS STORES ........................................................................... 12
TRUSTED CERTIFICATES ..................................................................................... 13
EXPORT DER ENCODED CERTIFICATES FROM EXISTING JKS STORES...................... 13
TRANSFORM INTO PEM ENCODED CERTIFICATES .................................................. 13
IMPORT INTO THE NSS STORES ........................................................................... 13
ENGAGE THE FIPS MODE ................................................................................... 13
APPENDIX A............................................................................................................... A-1
A.1
CREATE AND USE SELF-SIGNED CERTIFICATES....................................... A-2
A.1.1
A.1.2
GENERAL INFORMATION ..................................................................................A-2
INTERCHANGE SCENARIO ................................................................................A-2
CONNECT_FIPS_Manual
4/21/10
ii
Release 2.4
A.1.3 SC065633 - TRUST YOURSELF .......................................................................A-3
A.1.4 SC075254 - TRUST YOURSELF .......................................................................A-3
A.1.5 INTERCHANGE - TRUST THE OTHER GUY ...........................................................A-3
A.1.6 INSTALL THE NEW KEYSTORE AND TRUSTSTORE TO GLASSFISH (ON EACH
SC065633 AND SC075254) .......................................................................................A-4
A.1.7 NSS .............................................................................................................A-4
CONNECT_FIPS_Manual
4/21/10
iii
Release 2.4
1.0
INTRODUCTION
1.1
Purpose
The FIPS 140-2 is a government standard that provides a benchmark for how to
implement cryptographic software (http://technet.microsoft.com/enus/library/cc180745.aspx). For the CONNECT Solution, this standard is being met to
ensure that the CONNECT Gateway is FIPS 140-2 compliant.
Sun in conjunction with RedHat received a NIST certificate of compliance in 2007:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#814 and is in
the process of achieving a 2009 certificate.
1.2
Scope
This document describes the CONNECT Gateway’s compliance to the Federal
Information Processing Standard (FIPS) 140-2.
1.3
Document Description
This document includes the following sections:
•
Section 1.0 Introduction
•
Section 2.0 Referenced Documents
•
Section 3.0 Open Source Solutions
•
Section 4.0 Other Sites
•
Section 5.0 FIPS Solution with NSS 3.11.4
•
Section 6.0 Import Certificates to NSS
2.0
REFERENCED DOCUMENTS
The following sites served as references in investigating the implementation of this
standard:
•
https://developer.mozilla.org/en/Windows_Build_Prerequisites
•
https://developer.mozilla.org/en/Windows_Build_Prerequisites#MozillaBuild
•
https://developer.mozilla.org/NSS_3.12.4_release_notes
•
https://developer.mozilla.org/en/NSS_reference/Building_and_installing_NSS/Bui
ld_instructionshttp://forums.sun.com/thread.jspa?threadID=5379132
•
http://www.microsoft.com/express/download/#webInstall
•
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/94
d05b904280b6ed#
CONNECT_FIPS_Manual
4/21/10
1
Release 2.4
•
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/sr
c/nss-3.12.4-with-nspr-4.8.tar.gz
•
http://forums.sun.com/thread.jspa?threadID=5379132
•
http://developers.sun.com/appserver/reference/techart/keymgmt.html
•
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.
html
•
http://www.java.net/blogs/kumarjayanti/
•
http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
•
http://developers.sun.com/appserver/reference/techart/keymgmt.html
•
http://www.slproweb.com/products/Win32OpenSSL.html
3.0
OPEN SOURCE SOLUTIONS
Open-source solutions for meeting this compliance are required, and the following is a
list of open-source solutions that were investigated:
•
\#819 Crypto\\™ Library - Contact was made with a Crypto++ consultant to
determine use of this package to supply the encryption. To summarize: the
compiled version of Crypto+\+ is what is certified, and it is copyrighted by Wei
Dai. Therefore, to self build it and use it; it would not be certified.
•
\#815 NSS Library - The 3.11.4 version of this library was used by Sun in 2007 to
obtain a certificate. These binaries are available at this site:
o ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RT
M/
o ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/
The current version is NSS 3.12.4 with NSPR 4.8, and it is currently submitted to
NIST for certification but has not yet achieved it. The build process is very complex.
Here are some of the applicable build pages from Mozilla:
o https://developer.mozilla.org/en/Windows_Build_Prerequisites
o https://developer.mozilla.org/en/Windows_Build_Prerequisites#MozillaBuil
d
o https://developer.mozilla.org/NSS_3.12.4_release_notes
CONNECT_FIPS_Manual
4/21/10
2
Release 2.4
o https://developer.mozilla.org/en/NSS_reference/Building_and_installing_N
SS/Build_instructions
Mozilla also has a build package that sets up the environment:
o https://developer.mozilla.org/en/Windows_Build_Prerequisites
Visual C++ is also needed; but there are other free sources as well as the link
below:
o http://www.microsoft.com/express/download/#webInstall
The NSS tar bundle for NSS 3.12.4 and NSPR 4.8 can be found here:
o https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_
RTM/src/nss-3.12.4-with-nspr-4.8.tar.gz
From this, one can build the NSS 3.12.4 binaries. Note that a build is system
specific, and binaries are not interchangeable among systems.
There is hope that the 3.12.4 binaries will be supplied once certification is
achieved:
o http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thr
ead/94d05b904280b6ed#
The previously certified 3.11.4 binaries are available as stated above, and it is
recommended that these be used since this is what is currently certified.
•
\#775 IBM® Crypto for C - This is the IBM version of the JRE and does not apply
to the Connect NHIN environment.
•
\#733 OpenSSL FIPS Object Module - This is the only open source product that
has also achieved NIST certification for 2009. It is also C \ UNIX based; and can
be self-built and retain certification status. It also requires that Perl and Visual
C+\+ be downloaded as well. While integration with Java might be possible, it is
not a common pathway for this product.
Additional sites are listed in section 4.0.
4.0
•
OTHER SITES
http://forums.sun.com/thread.jspa?threadID=5379132
•
http://developers.sun.com/appserver/reference/techart/keymgmt.html
CONNECT_FIPS_Manual
4/21/10
3
Release 2.4
•
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.
html
•
http://www.java.net/blogs/kumarjayanti/
•
http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
•
http://developers.sun.com/appserver/reference/techart/keymgmt.html
5.0
FIPS SOLUTION WITH NSS 3.11.4
5.1
NIST Certification
The NSS Cryptographic Module version 3.11.4 met FIPS 140-2 level compliance in
2007. Certification #814 . Refer to this document for the details of that certification.
To use the NSS module, download the NSS 3.11.4 binaries and configure them for use.
5.2
Integration into CONNECT
The current Glassfish Application Server v2.1 does not contain the FIPS compliant
Mozilla \ NSS release; however, this can be integrated into the server. There are 3
different profiles that are available for use in the Glassfish Application Server. The
"enterprise" profile is the one that has security enhancements including an initial set-up
of the NSS stores when creating a domain using this profile. This site, http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2 provides
more information on the usage of those different profiles as they relate to Transport
Layer Security (TLS). It appears that Glassfish version 3 is moving to integrate in NSS
as well as Metro, but in the Glassfish 2.1 release, this integration process requires
moving libraries into Glassfish lib and relying on the tools available through the Mozilla \
NSS download.
5.3
Steps Required to Configure Glassfish for FIPS Compliance with NSS
5.3.1 Download the Mozilla \ NSS Module
1. Create the C:\Mozilla directory.
2. Download and unzip into C:\Mozilla the NSS 3.11.4 and NSPR selecting the OPT
version (optimized). Note that for windows machines, these are located under the
msvc6.0 directory and that the WINNT5.0_OPT.OBJ selection works for XP and
Vista machines.
3. Copy the contents of C:\Mozilla\nspr-4.6.4\lib and C:\Mozilla\nss-3.11.4\lib into
%AS_HOME%\lib, where AS_HOME is the Glassfish home directory (e.g.,
AS_HOME=C:\GlassFishESB\glassfish for Glassfish ESB version). Use the
below commands in a command prompt windows to copy.
copy /Y C:\Mozilla\nspr-4.6.4\lib\*.* %AS_HOME%\lib\
copy /Y C:\Mozilla\nss-3.11.4\lib\*.* %AS_HOME%\lib\
CONNECT_FIPS_Manual
4/21/10
4
Release 2.4
5.3.2 Create Glassfish Domain with Enterprise Profile
1. Set the asadmin environment variables to create a domain with the enterprise
profile.
a. Navigate to %AS_HOME%\config.
b. Edit asadminenv.conf to set:
AS_ADMIN_PROFILE=enterprise
c. Edit asenv.conf to set:
AS_NSS=AS_HOME\lib (replacing AS_HOME with the glassfish home
directory as asenv.conf may not identify the AS_HOME environment
variable).
AS_NSS_BIN=C:\Mozilla\nss-3.11.4\bin, and
AS_ACC_CONFIG=AS_HOME\domains\nssdomain\config\sun-acc.xml
(nssdomain can be replaced with the domain name that you choose).
Change the following line:
set AS_ICU_LIB=C:\Sun\AppServer\bin
to
set AS_ICU_LIB=C:\Sun\AppServer\bin;C:\Sun\AppServer\lib
d. Edit asant.bat (%AS_HOME%\bin) file in a text editor and add
%AS_NSS% to ANT_OPTS java.library.path. You should already have
something like below:
"-Djava.library.path=%AS_INSTALL%\lib;%AS_ICU_LIB%;%AS_NSS%".
If %AS_NSS% Not present then add it.
e. Edit asadmin.bat (%AS_HOME%\bin) file in a text editor and add
%AS_ICU_LIB%;%AS_NSS% to Path and java cmd. Sample is given
below:
set Path=%AS_INSTALL%\bin;%AS_ICU_LIB%;%AS_NSS%;%PATH%
"%AS_JAVA%\bin\java" -Dcom.sun.aas.instanceName=server Djava.library.path="%AS_INSTALL%\bin";"%AS_ICU_LIB%";"%AS_NSS
%" -Dcom.sun.aas.configRoot="%AS_CONFIG%"
2. Create the domain
a. From a new command prompt add glassfish lib to the path
set Path=%AS_HOME%\lib;%AS_HOME%\bin;%PATH%
b. Create the domain, remember the password (adminadmin) and accept the
default for the master password
asadmin create-domain --adminport 4848 --user admin nssdomain
REPORTS:
Using port 4848 for Admin.
Using default port 8080 for HTTP Instance.
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Using default port 8181 for HTTP_SSL.
Using default port 3820 for IIOP_SSL.
CONNECT_FIPS_Manual
4/21/10
5
Release 2.4
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Domain being created with profile:enterprise, as specified by variable
AS_ADMIN_PROFILE in configuration file.
Security Store uses: NSS
Domain nssdomain created
3. Verify default NSS stores
a. C:\Mozilla\nss-3.11.4\bin\modutil -list -dbdir
%AS_HOME%\domains\nssdomain\config
REPORTS:
Listing of PKCS #11 Modules
----------------------------------------------------------1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
----------------------------------------------------------b. C:\Mozilla\nss-3.11.4\bin\certutil -L -d
%AS_HOME%\domains\nssdomain\config
Contents may vary according to system, but should include s1as.
REPORTS:
verisignclass1ca
T,c,c
thawtepersonalpremiumca
T,c,c
baltimorecodesigningca
T,c,c
verisignclass2g2ca
T,c,c
verisignclass3g3ca
T,c,c
entrustglobalclientca
T,c,c
entrustsslca
T,c,c
verisignclass3g2ca
T,c,c
CONNECT_FIPS_Manual
4/21/10
6
Release 2.4
thawtepremiumserverca
TG,c,c
entrust2048ca
T,c,c
valicertclass2ca
T,c,c
gtecybertrust5ca
T,c,c
equifaxsecureebusinessca1
T,c,c
verisignclass1g3ca
T,c,c
godaddyclass2ca
T,c,c
thawtepersonalbasicca
T,c,c
verisignclass1g2ca
T,c,c
verisignclass2g3ca
T,c,c
equifaxsecureca
T,c,c
entrustclientca
T,c,c
verisignserverca
TG,c,c
geotrustglobalca
T,c,c
equifaxsecureebusinessca2
T,c,c
s1as
u,u,u
verisignclass3ca
TG,c,c
verisignclass2ca
T,c,c
gtecybertrustglobalca
TG,c,c
entrustgsslca
T,c,c
CONNECT_FIPS_Manual
4/21/10
7
Release 2.4
thawtepersonalfreemailca
T,c,c
thawteserverca
TG,c,c
baltimorecybertrustca
T,c,c
starfieldclass2ca
T,c,c
equifaxsecureglobalebusinessca1 T,c,c
5.3.3 Load Trusted Certificates into NSS Stores and Set FIPS Mode
1. Following the Create and Use Self-Signed Certificates procedure (Appendix A) or
by requesting an NHIN certificate from the NHIN Certificate Authority. The JKS
keystores in a previous domain would have been set up for use by the
CONNECT NHIN Gateway in creating and verifying exchanged certificates..
2. These created certificates now need to be added to the NSS stores. The steps to
perform this import are included in section 6.0. If a certificate request has been
generated directly from the NSS stores, this import from the JKS stores is not
necessary.
3. Set the FIPS mode: (It will ask that you exit the browser here)
C:\Mozilla\nss-3.11.4\bin\modutil -fips true -dbdir
%AS_HOME%\domains\nssdomain\config
REPORTS:
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Using database directory ....
FIPS mode enabled.
4. Verify contents as:
C:\Mozilla\nss-3.11.4\bin\modutil -list -dbdir
%AS_HOME%\domains\nssdomain\config
REPORTS:
Listing of PKCS #11 Modules
----------------------------------------------------------1. NSS Internal FIPS PKCS #11 Module
slots: 1 slot attached
status: loaded
slot: NSS FIPS 140-2 User Private Key Services
token: NSS FIPS 140-2 Certificate DB
----------------------------------------------------------
CONNECT_FIPS_Manual
4/21/10
8
Release 2.4
5.3.4 Configure Glassfish to Use the NSS Stores
1. Create an NSS configuration file
%AS_HOME%\domains\nssdomain\config\nss.cfg containing:
name=NSS
nssLibraryDirectory=%AS_HOME%\lib (Please use the actual absolute path
instead of environment variables)
nssSecmodDirectory=%AS_HOME%\domains\nssdomain\config
nssModule=fips
showInfo=true
nssUseSecmod=true
2. Modify the domain.xml file to use the NSS certificates
a.
b.
c.
d.
There are two instances of "</security-service>". Before each instance add
this line:
<property name="NSS Certificate DB"
value="${com.sun.aas.instanceRoot}/config/nss.cfg"/>
One can also change the logging level on <module-log-levels> security to
"FINE" instead of "INFO" (this is an optional step and only required for
additional debug with regards to security issues).
To turn off the security manager, comment out or remove this line:
<!-- <jvm-options>-Djava.security.manager</jvm-options> -->
There are two areas now to specify jvm-options for NHIN. Verify that all
occurrences of s1as have been changed to refer to the self-signed
certificate or the NHIN certificate.
<!-- NHIN -->
<jvm-options>-Xmx1280m</jvm-options>
<jvm-options>-XX:MaxPermSize=256m</jvm-options>
<jvm-options>-XX:PermSize=256m</jvm-options>
<jvm-options>Dcom.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace=false</jvm-options>
<jvm-options>-Dxml.catalog.ignoreMissing=true</jvm-options>
<jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=internal</jvmoptions>
<jvm-options>-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true</jvm-options>
<jvm-options>-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
</jvm-options>
<jvm-options>-Djavax.enterprise.resource.xml.webservices.security.level=FINE</jvmoptions>
<jvm-options>-Djavax.enterprise.resource.webservices.jaxws=FINE</jvm-options>
<jvm-options>-Dcom.sun.jbi.httpbc.enableClientAuth=true</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStoreType=PKCS11</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStore=NONE</jvm-options>
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStoreType=PKCS11</jvm-options>
CONNECT_FIPS_Manual
4/21/10
9
Release 2.4
<jvm-options>-Djavax.net.ssl.trustStore=NONE</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvm-options>
<jvm-options>-DSERVER_KEY_ALIAS=internal</jvm-options>
<jvm-options>-DCLIENT_KEY_ALIAS=internal</jvm-options>
<jvm-options>-Dhttps.protocols=TLSv1</jvm-options>
<jvm-options>Dhttps.cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES
_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WIT
H_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH
E_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC
_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WI
TH_AES_128_CBC_SHA</jvm-options>
<jvm-options>Dlog4j.configuration=file:/C:/projects/NHINC/Current/Product/Production/Common/Properti
es/log4j.properties</jvm-options>
e. There exists an <ssl> element in the <http-listener> for each of the
<config> elements. Doing a search for “<ssl” in the domain.xml should
find 1 instance in the server-config <config> element and 1 instance in the
default-config <config> element. Each of these <ssl> elements should be
modified to specify to use only the TLS protocol and define the cipher
suites used.
<ssl cert-nickname="gateway" client-auth-enabled="true" ssl2-enabled="false" ssl3enabled="false" ssl3-tlsciphers="+
TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_C
BC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_ECDH_ECDSA_WITH_A
ES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_ECD
SA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+T
LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128
_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA
_WITH_3DES_EDE_CBC_SHA " tls-enabled="true" tls-rollback-enabled="true"/>
5.3.5 Deploy CONNECT Applications to nssdomain
Deploy the applications to nssdomain (or the new domain name chosen in section
5.3.2) either using ant scripts or through the NetBeans IDE.
1. To use the ant script to deploy the applications to nssdomain instead of
domain1, modify C:\projects\NHINC\Current\Product\Install\settings.xml to set:
<property name="deployment.glassfish.domain.name" value="nssdomain"/>
2. To see this instance in the NetBeans IDE.
a. Go to the Services tab.
CONNECT_FIPS_Manual
4/21/10
10
Release 2.4
b.
c.
d.
e.
Remove the domain1 service.
Click on Servers to "Add Server".
Name the new instance Glassfish V2 (NSS).
Select "Register Local Default Domain" set the port 4848 and nssdomain
and select the Enterprise profile.
5.3.6 Verify Whether Glassfish is Running with NSS Keystores
Open the Glassfish admin console using http://<host-name>:4848 and then accept the
certificate. At this time one should be able to view the certificate they have added to the
NSS keystores.
Another way to validate the above steps is to open the Universal Client web application
in a browser and verify the certificate used. The construction of the SAML assertion
header can be validated through viewing the server.log when any secure
communication is invoked. The Universal Client's subject discovery feature invokes one
such communication and can be used to test the construction and extraction of the
SAML information while using the new NSS stores.
6.0
IMPORT CERTIFICATES TO NSS
Given that previous JKS stores are in use, use the procedures in sections 6.1 through
6.5 to export desired certificates and import them into the NSS stores for use in the
Glassfish Enterprise profile.
6.1
Prerequisites
Obtain the following required software:
1. Download keyexport.zip and expand it into C:\keyexport directory.
2. Download and install Visual C++ 2008 Redistributables from
http://www.slproweb.com/products/Win32OpenSSL.html
3. Download and install Win32 OpenSSL v0.9.8l from
http://www.slproweb.com/products/Win32OpenSSL.html to C:\openssl
6.2
Transfer of the Certificates
If following the instructions on creating self-signed certificates, one will need the
"internal" certificate from the internal.jks and the trusted certificate from the machine
intended to be communicated with. In the interchange scenario given in Appendix A this
was given the alias name "SC075254". The procedure to transfer is slightly different in
that the self-certificate has an associated private key whereas the trusted-othercertificate does not.
CONNECT_FIPS_Manual
4/21/10
11
Release 2.4
6.3
Self-Certificate
6.3.1 Export DER encoded certificates from existing JKS stores
The X.509 certificates existing in the JKS keystores can be exported in DER
(Distinguished Encoding Rules) Encoded Binary formats.
Export the Self-Certificate
keytool -export -file internal.der -keystore internal.jks -storepass changeit -alias
internal
6.3.2 Transform into PEM encoded certificates
A PEM (Privacy Enhanced Mail) certificate is a Base64 encoded DER certificate and is
enclosed between
"- - - BEGIN CERTIFICATE - - -"
and
"- - - - END CERTIFICATE - - - -"
lines.
Obtain the Self-Certificate PEM
c:\openssl\bin\openssl x509 -in internal.der -inform DER -out internal.PEM outform PEM
Obtain the Private Key for the Self-Certificate using the KeyExport tool
java -cp c:\keyexport\keyexport.jar com.sun.xml.wss.tools.KeyExport -keyfile
internalkey.PEM -alias internal -keystore internal.jks -outform PEM -storepass
changeit -keypass changeit
append the contents of internalkey.PEM to the internal.PEM file
6.3.3 Transform into PKCS12 formatting
PKCS #12 (Public Key Cryptography Standard #12) is an industry format that is suitable
for transport of a certificate and its associated private key. It is a form of Personal
Information Exchange format (PFX).
Convert the Self-Certificate to PKCS #12 format
c:\openssl\bin\openssl pkcs12 -export -in internal.PEM -out internal.p12 -name
"internal"
6.3.4 Import into the NSS Stores
The pk12util allows one to import certificates and keys from pkcs #12 files into NSS
stores.
Include the nss and nspr libraries placed in glassfish\lib in the path environment
variable
set Path=%AS_HOME%\lib;%PATH% where %AS_HOME% is the Glassfish
home directory
CONNECT_FIPS_Manual
4/21/10
12
Release 2.4
Import the Self-Certificate
C:\Mozilla\nss-3.11.4\bin\pk12util -i internal.p12 -n internal -d
%AS_HOME%\domains\nssdomain\config
6.4
Trusted Certificates
The procedure for transferring any trusted certificates into the NSS stores is similar to
that given above for the self-certificate.
6.4.1 Export DER encoded certificates from existing JKS stores
Export the trusted certificate
keytool -export -file SC075254.der -keystore cacerts.jks -storepass changeit alias SC075254
6.4.2 Transform into PEM encoded certificates
Transform the trusted certificate into a PEM
c:\openssl\bin\openssl x509 -in SC075254.der -inform DER -out SC075254.PEM
-outform PEM
6.4.3 Import into the NSS Stores
The trusted other certificate is only composed of a certificate and is not paired with a
Private Key.
The certutil can be used to add it to the NSS store.
Import the Trusted Other Certificate
C:\Mozilla\nss-3.11.4\bin\certutil -A -n "sc075254" -t "T,c,c" -i
C:\GlassFishESB\Certificates\SC075254.PEM -d
%AS_HOME%\domains\nssdomain\config
Verify the certificate
C:\Mozilla\nss-3.11.4\bin\certutil -L -n "sc075254" -d
%AS_HOME%\domains\nssdomain\config
6.5
Engage the FIPS Mode
Using modutil enable the FIPS 140-2 Compliance mode
C:\Mozilla\nss-3.11.4\bin\modutil -fips true -dbdir
%AS_HOME%\domains\nssdomain\config
CONNECT_FIPS_Manual
4/21/10
13
Release 2.4
APPENDIX A
CONNECT_FIPS_Manual
4/21/10
A-1
Release 2.4
A.1
CREATE AND USE SELF-SIGNED CERTIFICATES
A.1.1 General Information
A digital certificate contains
•
•
•
•
A public key.
The "distinguished-name" information of the entity (person, company, or so on)
whose certificate it is. This entity is referred to as the certificate subject, or owner.
The distinguished-name information includes the following attributes (or a
subset): the entity's name, organizational unit, organization, city or locality, state
or province, and country code.
A digital signature. A certificate is signed by one entity, the issuer, to vouch for
the fact that the enclosed public key is the actual public key of another entity, the
owner.
The distinguished-name information for the signer (issuer).
Sometimes a certificate is self-signed, that is, signed using the private key
corresponding to the public key in the certificate; the issuer is the same as the subject. It
is reasonable to self-sign a certificate if the recipient already trusts the sender.
Certificates of entities that are trusted are typically imported into the keystore as
"trusted certificates." The public key in each such certificate may then be used to
verify signatures generated using the corresponding private key.
For development purposes it is reasonable to interchange self-signed certificates
between machines that will be hosting various Web Services that will be requested by
Web Services from the other machine. To do this:
•
•
•
•
Create the keystore for the private internal key
Export the certificate that will authenticate the internal key
Import the trusted certificates into the truststore
Provide these certificates to Glassfish to use for authentication purposes
Java provides the keytool utility to assist in these operations. For full details reference
the tooldocs.
A.1.2 Interchange Scenario
A machine identified as SC065633 on the cs.myharris.net hosts several Web Services.
In some cases a given Web Service will need to communicate with another Web
Service that is hosted on this same machine. In other cases it will need to communicate
with another Web Service that is hosted on another machine known as SC075254. To
establish the keystores and truststores needed to provide this flexibility the following
steps are to be taken on the given machines.
CONNECT_FIPS_Manual
4/21/10
A-2
Release 2.4
A.1.3 SC065633 - Trust Yourself
•
•
•
•
•
Back-up the installed versions of the cacerts.jks and the domain.xml in the
C:\GlassFishESB\glassfish\domains\domain1\config directory
Copy cacerts.jks to a work directory where the certificate set-up will be performed
Create the internal keystore
o keytool -genkey -keyalg RSA -keysize 1024 -keystore internal.jks keypass changeit -storepass changeit -validity 365 -alias internal -dname
"cn=SC065633.cs.myharris.net"
Export the certificate
o keytool -export -rfc -alias internal -file SC065633.cer -keystore internal.jks
-keypass changeit -storepass changeit
Import the "self" certificate into the truststore
o keytool -import -v -trustcacerts -alias SC065633 -file SC065633.cer keystore cacerts.jks
A.1.4 SC075254 - Trust Yourself
•
•
•
•
•
Back-up the installed versions of the cacerts.jks and the domain.xml in the
C:\GlassFishESB\glassfish\domains\domain1\config directory
Copy cacerts.jks to a work directory where the certificate set-up will be performed
Create the internal keystore
o keytool -genkey -keyalg RSA -keysize 1024 -keystore internal.jks keypass changeit -storepass changeit -validity 365 -alias internal -dname
"cn=SC075254.cs.myharris.net"
Export the certificate
o keytool -export -rfc -alias internal -file SC075254.cer -keystore internal.jks
-keypass changeit -storepass changeit
Import the "self" certificate into the truststore
o keytool -import -v -trustcacerts -alias SC075254 -file SC075254.cer keystore cacerts.jks
A.1.5 Interchange - Trust the other guy
•
•
Copy the SC065633.cer over to the work area of SC075254
Import this trusted certificate into the truststore
o keytool -import -v -trustcacerts -alias SC065633 -file SC065633.cer keystore cacerts.jks
•
•
Copy the SC075254.cer over to the work area of SC065633
Import this trusted certificate into the truststore
o keytool -import -v -trustcacerts -alias SC075254 -file SC075254.cer keystore cacerts.jks
CONNECT_FIPS_Manual
4/21/10
A-3
Release 2.4
A.1.6 Install the New Keystore and Truststore to Glassfish (on each SC065633
and SC075254)
•
•
•
Make sure Glassfish is stopped
Copy internal.jks and cacerts.jks from the work area over to
C:\GlassFishESB\glassfish\domains\domain1\config
Edit domain.xml to use the development certificates
o Find and replace - "s1as" to "internal"
o Indicate to use the internal.jks keystore
o Set up both key aliases to use the internal certificate
o
<!-- Certificate configuration -->
o
<jvm-options>-Dcom.sun.jbi.httpbc.enableClientAuth=true</jvmoptions>
o
<jvm-options>Dcom.sun.enterprise.security.httpsOutboundKeyAlias=internal</jvmoptions>
o
<jvm-options>Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/internal.jks</
jvm-options>
o
<jvm-options>-Djavax.net.ssl.keyStorePassword=changeit</jvmoptions>
o
<jvm-options>Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks<
/jvm-options>
o
<jvm-options>-Djavax.net.ssl.trustStorePassword=changeit</jvmoptions>
o
<jvm-options>-DSERVER_KEY_ALIAS=internal</jvm-options>
o
<jvm-options>-DCLIENT_KEY_ALIAS=internal</jvm-options>
A.1.7 NSS
If running in the Enterprise profile of Glassfish or if there is a need for FIPS compliant
stores these certificates will need to reside in NSS stores. See section 6.0 of this
document.
CONNECT_FIPS_Manual
4/21/10
A-4
Release 2.4