'Java 9+ and custom JCE/JSSE providers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Java 9+  and custom JCE/JSSE providers
From:       Amit Pande <Amit.Pande () veritas ! com ! INVALID>
Date:       2023-10-31 14:22:46
Message-ID: CH0PR20MB4123769D66EF089D940BACA19AA0A () CH0PR20MB4123 ! namprd20 ! prod ! outlook ! com
[Download RAW message or body]


Hello,

I am in the process of updating https://github.com/amitlpande/tomcat-9-fips page for \
version later than Java 8.

Ran into an issue:


  1.  Was looking the configure the additional bouncy castle providers in the Java \
                install itself by:
     *   Modifying the java.security file to add providers.
     *   Place the jars in the Java'e lib/ext directory.
  2.  However, from Java 9+, the lib/ext directory is no longer present \
(https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B)
  3.  The alternate I attempted was to place the additional provider jars in Tomcat's \
lib directory.  4.  Create a java security properties file with:
                    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
                
                    security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider \
fips:BCFIPS  security.provider.3=sun.security.provider.Sun
                   ssl.KeyManagerFactory.algorithm=PKIX
                   ssl.TrustManagerFactory.algorithm=PKIX

  1.  Launch Tomcat with JVM option \
-Djava.security.properties=file:/path/to/java_security_properties_file  2.  However, \
I noticed that these BC providers weren't getting loaded.






    I see a comment from Chris here -  \
https://www.mail-archive.com/users@tomcat.apache.org/msg137824.html "I don't see any \
place in Tomcat to specify the JSSE provider. Perhaps we should expose that to the \
administrator in some way."

Not sure if it's relevant here.

But wanted to know if there is any way to configure Tomcat for Java 9+ with custom \
JSSE/JCE providers (with just config change) ? Maybe I missed something?

Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat 9, by \
registering a custom listener and adding providers there. Will soon update the \
https://github.com/amitlpande/tomcat-9-fips for detailed steps.

Thanks,
Amit



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic