来源:蜘蛛抓取(WebSpider)
时间:2018-04-24 05:22
标签:
linux rescue mode
Bug 878212 & Cannot log into 6.4 nightlies with fips mode + selinux in enforcing mode
Red Hat Bugzilla & Bug&878212
Cannot log into 6.4 nightlies with fips mode + selinux in enforcing mode
Cannot log into 6.4 nightlies with fips mode + selinux in enforcing mode
Red Hat Enterprise Linux 6
Classification:
Component:
selinux-policy
Miroslav Grepl
QA Contact:
Milos Malik
Docs Contact:
Whiteboard:
Reopened, SELinux
Duplicates:
Depends On:
Show dependency
16:04 EST by Hans de Goede
Fixed In Version:
selinux-policy-3.7.19-184.el6
Story Points:
Environment:
Last Closed:
03:32:25 EST
Regression:
Mount Type:
Documentation:
Verified Versions:
oVirt Team:
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:
Attachments【图文】孟庆昌 LINUX教程第3版 第1章_百度文库
您的浏览器Javascript被禁用,需开启后体验完整功能,
赠送免券下载特权
10W篇文档免费专享
部分付费文档8折起
每天抽奖多种福利
两大类热门资源免费畅读
续费一年阅读会员,立省24元!
孟庆昌 LINUX教程第3版 第1章
阅读已结束,下载本文到电脑
登录百度文库,专享文档复制特权,积分每天免费拿!
你可能喜欢Access denied | www.moon-soft.com used Cloudflare to restrict access
Please enable cookies.
What happened?
The owner of this website (www.moon-soft.com) has banned your access based on your browser's signature (d789e-ua98).新手园地& & & 硬件问题Linux系统管理Linux网络问题Linux环境编程Linux桌面系统国产LinuxBSD& & & BSD文档中心AIX& & & 新手入门& & & AIX文档中心& & & 资源下载& & & Power高级应用& & & IBM存储AS400Solaris& & & Solaris文档中心HP-UX& & & HP文档中心SCO UNIX& & & SCO文档中心互操作专区IRIXTru64 UNIXMac OS X门户网站运维集群和高可用服务器应用监控和防护虚拟化技术架构设计行业应用和管理服务器及硬件技术& & & 服务器资源下载云计算& & & 云计算文档中心& & & 云计算业界& & & 云计算资源下载存储备份& & & 存储文档中心& & & 存储业界& & & 存储资源下载& & & Symantec技术交流区安全技术网络技术& & & 网络技术文档中心C/C++& & & GUI编程& & & Functional编程内核源码& & & 内核问题移动开发& & & 移动开发技术资料ShellPerlJava& & & Java文档中心PHP& & & php文档中心Python& & & Python文档中心RubyCPU与编译器嵌入式开发驱动开发Web开发VoIP开发技术MySQL& & & MySQL文档中心SybaseOraclePostgreSQLDB2Informix数据仓库与数据挖掘NoSQL技术IT业界新闻与评论IT职业生涯& & & 猎头招聘IT图书与评论& & & CU技术图书大系& & & Linux书友会二手交易下载共享Linux文档专区IT培训与认证& & & 培训交流& & & 认证培训清茶斋投资理财运动地带快乐数码摄影& & & 摄影器材& & & 摄影比赛专区IT爱车族旅游天下站务交流版主会议室博客SNS站务交流区CU活动专区& & & Power活动专区& & & 拍卖交流区频道交流区
家境小康, 积分 1008, 距离下一级还需 992 积分
论坛徽章:0
[notice] SSL FIPS mode disabled
[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] SSL FIPS mode disabled
[warn] pid file /usr/local/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous& && && &Apache run?
[notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips DAV/2 configured -- resuming& && && &normal operations
这是什么意思?
论坛徽章:379
那个只是一个提示.尝试在apache配置文件中添加SSLFIPS on指令打开.
北京盛拓优讯信息技术有限公司. 版权所有 京ICP备号 北京市公安局海淀分局网监中心备案编号:22
广播电视节目制作经营许可证(京) 字第1234号
中国互联网协会会员&&联系我们:
感谢所有关心和支持过ChinaUnix的朋友们
转载本站内容请注明原作者名及出处解决openssl - How to make tomcat FIPS Mode enabling - openssl-tomcat7-tomcat - ITkeyowrd
解决openssl - How to make tomcat FIPS Mode enabling
领取地址:
i have added this in server.xml to enable tomcat FIPSMode
&Listener className=&org.apache.catalina.core.AprLifecycleListener&
SSLEngine=&on& FIPSMode=&on& /&
But after that logs are throwing,
Dec 01, :53 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
when i check the
it is asking us to create OpenSSL library
FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well.
So, now the question is how to create OpenSSL library for tomcat FIPS ? and how to integrate it with tomcat ?
please & the steps or documentation to achieve this
Please check this new exception #1
Dec 03, :37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
Dec 03, :37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Dec 03, :37 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: Initializing FIPS mode...
Dec 03, :37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:333)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:138)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Dec 03, :37 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
java.lang.Error: Failed to enter FIPS mode
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:147)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
openssl version
OpenSSL 1.0.1p-fips 9 Jul 2015
Please check the new exception#2
03-Dec-:24.577 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:
Apache Tomcat/8.0.29
03-Dec-:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:
Nov 20 :00 UTC
03-Dec-:24.578 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:
03-Dec-:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:
03-Dec-:24.579 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:
2.6.32-131.0.15.el6.x86_64
03-Dec-:24.584 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:
03-Dec-:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:
/java/jdk1.7.0_80/jre
03-Dec-:24.585 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
1.7.0_80-b15
03-Dec-:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Oracle Corporation
03-Dec-:24.586 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
/tomcat/apache-tomcat-8.0.29
03-Dec-:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
/tomcat/apache-tomcat-8.0.29
03-Dec-:24.587 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/tomcat/apache-tomcat-8.0.29/conf/logging.properties
03-Dec-:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
03-Dec-:24.588 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/tomcat/apache-tomcat-8.0.29/endorsed
03-Dec-:24.589 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/tomcat/apache-tomcat-8.0.29
03-Dec-:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/tomcat/apache-tomcat-8.0.29
03-Dec-:24.590 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/tomcat/apache-tomcat-8.0.29/temp
03-Dec-:24.590 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
03-Dec-:24.591 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
03-Dec-:24.657 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
03-Dec-:24.691 SEVERE [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
at org.apache.tomcat.jni.SSL.fipsModeSet(Native Method)
at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:329)
at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:135)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
Finaly Worked!!
04-Dec-:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library 1.1.33 using APR version 1.5.2.
04-Dec-:30.500 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
04-Dec-:30.561 INFO [main] **org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
04-Dec-:30.576 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode**
04-Dec-:30.577 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized (OpenSSL 1.0.1p 9 Jul 2015)
04-Dec-:30.935 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [&http-apr-8080&]
04-Dec-:30.973 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [&ajp-apr-8009&]
04-Dec-:30.976 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 2308 ms
asked Dec 1 '15 at 14:20
19 5 && & Have you also set your JVM to FIPS mode? –&
Dec 10 '15 at 13:54 && & No...is that necessary ? –&
Dec 11 '15 at 10:42 && & Actually we still doing test on this tomcat. i heard there is another method through Java. but for me it worked for Linux and Solaris. –&
Dec 11 '15 at 10:43 && & AFAIK,
FIPSMode=&on& only applies to the OpenSSL library in the APR listener. The rest of the JVM won't be running in FIPS mode. You need to follow
for FIPS mode –&
Dec 11 '15 at 10:45 && & Oh Yes...i'm sorry. i forgot to check. actually our jre is already FIPS enabled. –&
Dec 11 '15 at 10:47
1 Answers 1
You need to configure Tomcat to work with APR connectors, here the steps (did it on CentOS 6):
Install gcc
yum install gcc
Install latest APR
wget http://apache.spd.co.il//apr/apr-1.5.1.tar.gz
tar -zxvf apr-1.5.1.tar.gz
cd apr-1.5.1/
./configure
make install
Install latest APR-util
wget http://apache.spd.co.il/apr/apr-util-1.5.3.tar.gz
tar -zxvf apr-util-1.5.3.tar.gz
cd apr-util-1.5.3
./configure --with-apr=/usr/local/apr
make install
Configure OpenSSL
Check installed version by executing:
openssl version
Example output: OpenSSL 1.0.1h-fips 5 Jun 2014
Note the installed version compiled in FIPS mode, google for manuals to do so. Copy the corresponding source version files from OpenSSL site to your machine /var/tmp/openssl-1.0.1h
In order to build tomcat's JNI wrapper, ensure that JDK is available (copy it to the machine, note that the JDK version must be the same as installed JRE).
Install JNI Wrapper for APR used by Tomcat (libtcnative)
cd $CATALINA_HOME/bin
tar -zxvf tomcat-native.tar.gz
cd tomcat-native/jni/native
./configure --with-apr=/usr/local/apr --with-java-home=$JDK_HOME --prefix=/usr --with-ssl=/var/tmp/openssl-1.0.1h/build/lnx/devel/x86_64
make install
Configure your CA
Edit the copied openssl.cnf file with setting the dir property under the CA_default section.
#!/bin/bash
#Configuring your CA
mkdir -p /var/tmp/myCA/certs
mkdir /var/tmp/myCA/csr
mkdir /var/tmp/myCA/newcerts
mkdir /var/tmp/myCA/private
cp /etc/pki/tls/openssl.cnf /var/tmp/myCA/.
cd /var/tmp/myCA
echo 00 & serial
echo 00 & crlnumber
touch index.txt
# Create CA private key
openssl genrsa -aes128 -passout pass:qwerty -out
private/rootCA.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key
# Create CA self-signed certificate
openssl req -config openssl.cnf -new -x509 -subj '/C=IL/L=Tel-Aviv/CN=www.imperva.com' -days 365 -key private/rootCA.key -out certs/rootCA.crt
# Create a SSL Server certificate
# Create private key for the mx server
openssl genrsa -aes128 -passout pass:qwerty -out private/mx.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/mx.key -out private/mx.key
# Create CSR (Certificate Signing Request) for the MX server
openssl req -config openssl.cnf -new -subj '/C=IL/L=Tel-Aviv/CN=mx' -key private/mx.key -out csr/mx.csr
# Create certificate for the MX server
openssl ca -batch -config openssl.cnf -days 365 -in csr/mx.csr -out certs/mx.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Configure Tomcat
Edit server.xml to use Http11AprProtocol protocol:
&Connector
interface=&management&
port=&8080&
protocol=&org.apache.coyote.http11.Http11AprProtocol&
secure=&false&
SSLEnabled=&false&
scheme=&http&
URIEncoding=&UTF-8&
minProcessors=&5&
maxProcessors=&150&
enableLookups=&true&
acceptCount=&10&
allowChunking=&true&
server=&NA&/&
answered Dec 2 '15 at 7:52
974 9 23 && & HI Maxim, Thanks for your answer!!! –&
Dec 3 '15 at 8:23 && & but i get these exception, please check the updated question –&
Dec 3 '15 at 8:23 && & That looks like APR is loaded and seems like no issue that. but why this FIPS is not able to enable ? –&
Dec 3 '15 at 11:18 && & The error happens due to wrong versions compatibility between the run time openssl version to your compiled version. –&
Dec 3 '15 at 11:26 && & openssl version is giving OpenSSL 1.0.1p-fips 9 Jul 2015 and this is what i downloaded from openssl page –&
Dec 3 '15 at 12:58
相关阅读排行
相关内容推荐
请激活账号
为了能正常使用评论、编辑功能及以后陆续为用户提供的其他产品,请激活账号。
您的注册邮箱:
如果您没有收到激活邮件,请注意检查垃圾箱。
