[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Java 9+ and custom JCE/JSSE providers
From: Amit Pande <Amit.Pande () veritas ! com ! INVALID>
Date: 2023-10-31 14:22:46
Message-ID: CH0PR20MB4123769D66EF089D940BACA19AA0A () CH0PR20MB4123 ! namprd20 ! prod ! outlook ! com
[Download RAW message or body]
Hello,
I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for \
version later than Java 8.
Ran into an issue:
1. Was looking the configure the additional bouncy castle providers in the Java \
install itself by:
* Modifying the java.security file to add providers.
* Place the jars in the Java'e lib/ext directory.
2. However, from Java 9+, the lib/ext directory is no longer present \
(https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B)
3. The alternate I attempted was to place the additional provider jars in Tomcat's \
lib directory. 4. Create a java security properties file with:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider \
fips:BCFIPS security.provider.3=sun.security.provider.Sun
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX
1. Launch Tomcat with JVM option \
-Djava.security.properties=file:/path/to/java_security_properties_file 2. However, \
I noticed that these BC providers weren't getting loaded.
I see a comment from Chris here - \
https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html "I don't see any \
place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the \
administrator in some way."
Not sure if it's relevant here.
But wanted to know if there is any way to configure Tomcat for Java 9+ with custom \
JSSE/JCE providers (with just config change) ? Maybe I missed something?
Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat 9, by \
registering a custom listener and adding providers there. Will soon update the \
https://github.com/amitlpande/tomcat-9-fips for detailed steps.
Thanks,
Amit
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic