GATEWAY 329 Effects Version:

splattersquadSecurity

Nov 17, 2013 (3 years and 7 months ago)

579 views

Page
1

of
35



GATEWAY 329


Effects Version:


2.3, 2.4, 3.0, 3.1


Environment:


OS: Windows, Linux

AppServer: Glassfish, JBoss


Description:


Default Non
-
FIPS Compliant Glassfish Installation Unable to Successfully Perform SSL Handshake with FIPS Compliant
JBoss/Linux Installation


When setting JBoss/Linux to FIPS 140
-
2 Compliant Mode, SSL communication to/from the JBoss server does not accept
a SSLv2
handshake. RedHat Linux and JBoss support has confirmed that this is a known issue.


Research into this issue needs to be performed in order to allow a non
-
SSLv2 handshake to occur between the two gateways. Once
resolved, the CONNECT installation
and configuration documentation will need to be updated.


Fix Version:

Documentation
on configuration
fix only



this
fix
does not tie to any CONNECT version.



Page
2

of
35


Background
:


There

are t
wo

permutations of configuring CONNECT gateway machines with FIPS mode:

Configuration 1:

FIPS Compliant machine communicating with another FIPS Compliant machine
. This includes a

FIPS Compliant
machine communicating with non
-
FIPS Compliant machine

using the same level of FIPS compliant cipher suite as the FIPS machine

Config
uration
2
:

non
-
FIPS Compliant machine communicate with another non
-
FIPS Compliant machine


The

current installation instructions will only work with
Configuration
2
. The solution below will ensure Configuration 1 will work.


Configuration:

This solutio
n is tested with the following hardware configurations:

Non
-
FIPS Gateway server:

CONNECT 2.3.1,
Windows,
Glassfish 2.1.1, JDK 1.6.0_
22
. Non
-
FIPS installation of NHIN Validation
Entrust SSL certificates. Java Keystore and Truststore.

FIPS Gateway server:

CONNECT 2.4.8,
Red Hat Enterprise Linux,
JBoss 5.1.0 GA, JDK 1.6.0_
22
. FIPS installation of NHIN
Validation Entrust SSL certificates

(
both SHA
-
1 and
SHA
-
2)
; NSS 3.12.4 Database, FIPS mode = true.


Assumptions:


The following solution is assuming that
the
use

ha
s

the above hardware configuration and ha
s

successfully installed the CONNECT
gateway software on two gateway servers. It is also assumed that
the user has

requested and received
all necessary

certificate
s

from
the CONNECT Onboarding team.




Page
3

of
35


Roadmap:


The following
is an overview of the steps for implementing the solution
:

1.

On the FIPS compliant server, the user needs to set up a NSS database to
use with the JBoss Application server in FIPS
compliant Mode.
The instructions below use the
\
opt

d
irectory as the base directory

on the RedHat Gateway server
.

a.

The user starts by creating
director
ies

with the name
fipsconfig

and
fipsdb

under

the
/opt directory

b.

Using a text editor, create a file called pkcs11.cfg in the
fipsconfi
g directory to be used by

the Java server

that points to
the directory created
,

plus

other configuration settings.

c.

Create
a

NSS

database in the
fipsdb

directory.

d.

Enable FIPS mode
.

e.

List the certificates available by default in the NSS Database
.

f.

Set

the NSS Database password
.

g.

Display the actual certificate content in NSS Database
.

h.

Disable FIPS mode before doing any modifications to NSS Database

i.

Generate the signing request, open the server.csr file and
i
mport the Entrust root certificate, the intermediate cross
certificate, a
nd the web server certificate into the truststore
.

j.

Verify the chain of certificates is correct.

k.

Enable FIPS mode.

2.

On the non
-
FIPS compliant server,
the user must upgrade to
a minimum of
JDK 1.6.0_22
,
and
limit SSL protocols to “TLSv1”
only
. This will ensu
re the non
-
FIPS server communicate with the FIPS compliant server using a more secured protocol only.




Page
4

of
35


Solution:

==========================
==========================================
=========

=
SETTING UP NSS Database
to store the certificates

for usage w
ith


=

= Application Server in FIPS Compliant Mode





=

=
on the FIPS Compliant Gateway machine






=

=
FIPS Configuration


Red Hat Enterprise Linux (
RHEL
)

/ JBoss




=

=============================================================================

Step 1:

Login as the administrator and c
reate
director
ies

with the name fipsconfig and fipsdb under
the
/
opt

directory
by running the
following commands:

mkdir /opt/fipsdb

mkdir
/opt/fipsconfig

Step 2:

Using a text editor, create
file /
nhin/fipsconfig/
pkcs11.cfg

to be used by the Java server with the following content:

name=NSSfips

nssLibraryDirectory=/opt/nss
-
3.12.4/lib

nssSecmodDirectory=/opt/fipsdb

nssModule=fips

Step 3:

Change directory to /
nhin
/fipsdb and create a
NSS
Database using the following command:

Page
5

of
35


cd /
opt
/fipsdb

modutil
-
create
-
dbdir /
nhin
/fipsdb


Sample
Output generated:

WARNING: Performing this operation while the browser is running could cause

corruption

of your security databases. If the browser is currently running,

you should exit browser before continuing this operation. Type

'q <enter>' to abort, or <enter> to continue:

Step 4
:

Enable FIPS mode by typing the command below:

modutil
-
fips true
-
dbdir /
nhin
/fipsdb

SampleOutput generated:

WARNING: Performing this operation while the browser is running could cause

corruption of your security databases. If the browser is currently running,

you should exit browser before continuing this operation. Type

'q <e
nter>' to abort, or <enter> to continue:

FIPS mode enabled

.

Step 5:

List the certificates available by default in the NSS Database
. Record the output from the command
:

Page
6

of
35


modutil
-
list
-
dbdir /nhin
/fipsdb


SampleOutput generated:

Listing of PKCS #11
Modules

-----------------------------------------------------------


1. NSS Internal FIPS PKCS #11 Module


slots: 1 slot attached


status: loaded



slot: NSS FIPS 140
-
2 User Private Key Services


token: NSS FIPS 140
-
2
Certificate DB

-----------------------------------------------------------

Step 6:

Change the NSS Database password first

modutil
-
changepw "NSS FIPS 140
-
2 Certif
icate
DB"
-
dbdir /
nhin
/fipsdb

SampleOutput generated:

certutil: Checking token "NSS FIPS 140
-
2

Certificate DB" in slot "NSS FIPS 140
-
2 User Private Key Services "

certutil: could not authenticate to token NSS FIPS 140
-
2 Certificate DB.: An I/O error occurred during security authorization.

[root@
Hostname

fipsdb]# modutil
-
chang
epw "NSS FIPS 140
-
2 Certificate DB"
-
dbdir /nhin/fipsdb

Page
7

of
35



WARNING: Performing this operation while the browser is running could cause

corruption of your security databases. If the browser is currently running,

you

should exit browser before continuing this operation. Type

'q <enter>' to abort, or <enter> to continue:


Enter new password:

Re
-
enter new password:

Token "NSS FIPS 140
-
2 Certificate DB"
password changed successfully
.

Step 7:

Try to display the actual
certificate content in NSS Database using the command below:

certutil
-
K
-
d /nhin/
fipsdb


SampleOutput generated:

certutil: Checking token "NSS FIPS 140
-
2 Certificate DB" in slot "NSS FIPS 140
-
2 User Private Key Services "

Enter Passw
ord or Pin for "NSS FIPS 140
-
2 Certificate DB":

< 0> rsa

633b986f7ae0a8b815d38338aa5ac1e
794586e0b NSS FIPS 140
-
2 Certificate DB:gateway

OR

certutil: no keys found

Page
8

of
35


Step
8
:

D
isable FIPS mode before doing any modifications to NSS Database. Use the comm
and below:

modutil
-
fips false
-
dbdir /nhin
/fipsdb

SampleOutput generated:

WARNING: Performing this operation while the browser is running could cause

corruption of your security databases. If the browser is currently running,

you

should exit browser before continuing this operation. Type

'q <enter>' to abort, or <enter> to continue:


FIPS mode disabled
.

=============================================================================

= NSS FIPS 140
-
2 CERTIFICATE SETUP



=

=============================================================================

Step 1:

Create a temporary directory under /op/fipsdb called cert and g
enera
te signing request

mkdir /opt/fipsdb/cert

cd /opt/fipsdb/cert


certutil
-
R
-
k rsa
-
g 2048
-
s "CN=<REFERENCE#>,ou=nhin
-
test,o=entrust"
-
o server.csr
-
v 12
-
a
-
d /
nhin
/fipsdb

<REFERENCE#>
comes from NHIN on
-
boarding group according to the current instruction
s

Page
9

of
35


Organizational unit is =
nhin
-
test

for Onboarding, production Organization unit may be different

Sample
Output generated:

[root@
Hostname

cert]# certutil
-
R
-
k rsa
-
s "CN=
reference_id
,ou=nhin
-
test,o=entrust"
-
o server.csr
-
v 12
-
a
-
d /nhin/fipsdb

Enter
Password or Pin for "NSS Certificate DB":


A random seed must be generated that will be used in the

creation of your key. One of the easiest ways to create a

random seed is to use the timing of keystrokes on a keyboard.


To begin, type keys on the keyboar
d until this progress meter

is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished. Press enter to continue:

Generating key.

This may take a few moments…


Page
10

of
35


Step 2:

Verify this certificate request by opening the server.csr file

and make sure the base
-
64 encoded content between ‘begin new
certificate request’ and ‘end section request’ exist.

Sample

Output generated:

Certificate
request generated by Netscape certutil

Phone: (not specified)


Common Name:
reference_id

Email: (not specified)

Organization: entrust

State: (not specified)

Country: (not specified)


-----
BEGIN NEW CERTIFICATE REQUEST
-----

MIIBeDCB4gIBADA5MRAwDgYDVQQKEwdlbnRydXN0MRIwEAYDVQQLEwluaGluLXRl

c3QxETAPBgNVBAMTCDY1ODU0MjYwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB

gQDSzO2
LxVUNryWOGskK9gPk
xJoqNS7/j9V39sT3IzIcz3mHh4OtMjO7
Dt1uhmMf

qFIT05Yw3HQC/2kmfd7FRd/M17rvaZKJLFfBS7Dhk8M4VyZOlOMngwsQF1mAF
ntx

Page
11

of
35


b9TDEdywZ6tzgmFGeYwItQLMrbnV8AxmvbQ7tfUX74aDPQIDAQABoAAwDQYJKoZI

hvcNAQEFBQADgYEAe74
Hn
CvvYYbijJoHjrJ+hlfMT66rsA8huV0k9
TcOLbWy6Loo

BPr4piswjqWk09FIL151AsLhZbZ6k8
B/60G8Nn+eicXPkvY1DCu0Zxcc/bxotUeJ

kxIYgisoWD7ePU6m6
4y9zBmBw+NZGmtkP9bRzhIxLBLsMYvW4AYeQdQNd
vA=

-----
END NEW CERTIFICATE REQUEST
-----

Step 3:

Import the E
ntrust root certificate, the intermediate cross certificate, and the web server certificate into the truststore



(
http://developer.connectopensource.org/display/CONNECTWIKI/Certificate+Setup+in+NSS+database+%28FIPS%29
)

certutil
-
A
-
n "gateway"
-
t "
u,u,u"
-
i servercert.bin
-
d /nhin
/fipsdb

certutil
-
A
-
n "entrust"

t

”C
,,”
-
i cacert.crt
-
d /nhin
/fipsdb

certutil
-
A
-
n "e
ntrust
-
cross"

t

”T,,”
-
i cross.crt
-
d /nhin
/fipsdb

Step 4:

Confirm the contents of your NSS database keystore includes the gateway cert, entrust and entrust
-
cross


certutil
-
L
-
n

gateway


-
d /nhin
/fipsdb


Sample Output g
enerated:

If the certificates are
not found
, you will receive a message similar to the fol
lowing:

certutil: Could not find: me
-
cross

: security library: bad database.


Page
12

of
35


If the certificates are
found
, you will receive a message similar to the following:

Certificate:



Data:


Version: 3 (0x2)


Serial Number: 12658532
418 (0x4b7367d2)


Signature Algorithm: PKCS #1 SHA
-
256 With RSA Encryption


Issuer: "OU=Entrust NFI Test Shared Service Provider,OU=Certification


Authorities,O=Entr
ust,C=US"


Validity:


Not Before: Mon Mar 07 16:39:46 2011


Not After : Tue Jun 07 17:09:46 2011


Subject: "CN=
hostname
.connectopensource.org,OU=NHIN
-
Test,O=nhin,C=U


S"


Subject Public Key Info:



Public Key Algorithm: PKCS #1 RSA Encryption


RSA Public Key:


Modulus:

Page
13

of
35



e2:14:eb:f5:f8:22:96:9d:a3:2e:8a:08:85:fb:dd:6e:


2f:87:bc:14:11:90:42:cb:33:6a:1e:5e:ba:5a:45:4c:



37:44:aa:94:a4:8d:c1:d1:ae:7b:42:a2:39:b2:32:e9:


da:d4:aa:94:7f:b5:fd:b1:01:e7:95:7f:35:b1:91:be:



15:8c:34:7f:1a:7f:6
5:d0:a5:47:78:65:5b:de:e5:61:


b8
:fd:43:25:6a:38:d1:fd:ae:4b:b6:66:84:06:f3:77:



5e:a3:2f:9d:f3:7
4:e0:ee:95:e0:f4:63:76:1a:ed:be:


3e:ae:52:8a:78:dc:3a:75:db:19:a3:04:df:97:92:39:



14:1c:db:9e:d
1:03:84:03:92:21:9b:21:02:a6:77:08:




d4:08:77:46:bd:bb:9c:a7:c4:f
7:c7:84:27:7f:3c:0c:


b9:40:ff:58:59:2e:2a:d2:72:d0:81:e5:0d:b4:21:37:


ea:26:42:
69:50:62:9d:e
b:f9:2b:86:50:5c:4e:64:25:


c1:fe:1a:57:
65:b0:d8:87:b7:d7:5
9:6e:3c:5e:36
:b9:


86:25:e1:fe:11:cc:55:9a:e8:0f:64:a8:a3:4e:ae:cb:


8f:cc:ad:5f:2c:42:2c:b4:5c:b5:f2:b3:cd:9b:09:3f:


4e:a7:9e:ca:98:eb:69:1f:78:c9:42:77:d7:99:4e:5b


Exponent: 65537
(0x10001)

Page
14

of
35



Signed Extensions:


Name: Certificate Key Usage


Usages: Digital Signature


Key Encipherment



Name: Certificate Private Key Usage Period


Not Before: Mon Mar 07 16:39:46 2011


Not After : Tue Jun 07 17:09:46 2011



Name: Certificate Type


Data: <SSL Client,SSL Server>



Name: Authority Information Access


Method: PKIX CA issuers access method


Location:


URI: "http://nfitestweb.managed.entrust.com/AIA/CertsIssuedTo


NFIMediumSSPCA.p7c"

Page
15

of
35



Method: PKIX CA issuers access method


Location:


URI: "ldap://nfitestdir.managed.entrust.com/ou=Ent
rust%20NFI%


20Test%20Shared%20Service%20Provider,ou=Certification%20A


uthorities,o=Entrust,c=US?cACertificate;binary,crossCerti


ficatePair;binary"


Method: PKIX Online Certificate Statu
s Protocol


Location:


URI: "http://nfitestocsp.managed.entrust.com/OCSP/NFITestResp


onder"



Name: CRL Distribution Points


URI: "http://nfitestweb.managed.entrust.com/CRLs/NFITestSSPCA.c
rl"


URI: "ldap://nfitestdir.managed.entrust.com/ou=Entrust%20NFI%20Te


st%20Shared%20Service%20Provider,ou=Certification%20Authoriti


es,o=Entrust,c=US?certificateRevocationList;binary"


Directory Name:
"CN=CRL1,OU=Entrust NFI Test Shared Service Provi

Page
16

of
35



der,OU=Certification Authorities,O=Entrust,C=US"



Name: Certificate Authority Key Identifier


Key ID:



4c:98:d0:c9:96:7d:04:96:67
:7d:6c:ad:8d:3c:a5:0c:


5c:69:7d:8c



Name: Certificate Subject Key ID


Data:


7e:72:b0:42:03:a7:7f:06:d2:f4:dd:0d:d5:b3:5b:aa:


ea:cc:20:3d



Name: Certificate Basic Constraints


Data: Is n
ot a CA.



Name: OID.1.2.840.113533.7.65.0


Data: Sequence {

Page
17

of
35



1b:04:56:38:2e:30


a8


(3 least significant bits unused)


}



Signature Algorithm: PKCS #1 SHA
-
256 With RSA E
ncryption


Signature:


42:ac:cb:40:ff:d5:59:43:75:13:9a:f2:80:21:0f:4a:


2f:d5:fc:fd:0a:1d:ff:3f:40:f9:bc:63:0e:58:7e:c6:


55:07:69:92:be:fc:c2:14:44:c8:89:29:75:be:14:a8:


24:eb:c1:d1:d1:fc:57:09:00:5d:3d:47:45:cb:11:b3:


0d:22:91:a1:a9:7f:23:24
:80:6b:96:a5:b3:0f:20:6c:


c5:75:42:cd:43:14:5c:2b:de:69:ad:3b:3e:b6:fe:c4:


e8:6c:5b:7b:9e:04:98:34:8d:de:df:2d:3f:1a:9f:00:



15:77:cc:9c:e2:b9:67:09:6
a:a7:32:25:4b:b5:52:2e:


51:8c:80:74:30:aa:d6
:a
7:9e:0a:b9:8d:d0:b2:db:0f:


16:81:e
7:f7:9f:41:a2:be:cf:e3:9c:2c:fd:ff:65:25:

Page
18

of
35



1f:32:1a:0a:1b:65:8e:3d:8e:ec:9d:62:e7:4e:00:ac:


a2:03:37:a7:e1:62:07:c3:31:dc:55:1a:24:07:03:86:


1d:60:fb:ff:95:2f:b8:cd
:8e:c1:34:10:e2:e9:c6:7e:



9e:b4:7d:02:a8:d4:2b:0c:94
:a4:bd:96:e2:0a:ae:30:


08:6e:78:d9:e4:4c:13:2c:de:6f:c9:bb:f8:65:bd:68:


ba:bc:ef:b7:6b:cd:03:be:e7:2a:e8:e8:ff:7b:21:6a


Fingerprint (MD5):


BD:40:D4:A7:88:CB:90:C8:C8:B5:0A:AB:CD:F7:0E:54


Fingerprint (SHA1):


C1:B6:6D:22:8A:6A:2A:21:28:88:33:43:D1:8D:8F:21:3F:35:39:41



Certificate Trust Flags:


SSL Flags:


User


Email Flags:


User


Object Signing Flags:

Page
19

of
35



User

certutil

-
L
-
n

entrust


-
d /opt/fipsdb

Sample Output generated:

If the certificates are
not found
, you will receive a message similar to the fol
lowing:

certutil: Could not find: me
-
cross

: security library: bad database.

If the certificates are
found
, you will re
ceive a message similar to the following:

Certificate:


Data:


Version: 3 (0x2)


Serial Numb
er: 12205822
15 (0x48c095cf)


Signature Algorithm: PKCS #1 SHA
-
1 With RSA Encryption


Issuer: "OU=DComRootCA,OU=Certification Authorit
ies,O=Entrust,C=US"


Validity:


Not Before: Fri Sep 05 01:43:37 2008


Not After : Wed Sep 05 02:13:37 2018


Subject: "OU=DComRootCA,OU=Certification Authorities,O=Entrust,C=US"

Page
20

of
35



Subject Public Key Info:


Public Key Algorithm: PKCS #1 RSA Encryption


RSA Public Key:


Modulus:


c5:c0:ee:9d:09:3e:a0:ab:8d:ee:ee:ab:a3:36:79:1e:


83:f9:de:ca:46:ee:59:45:4c:ed:1d:51:fb:fa:3d:45:




d9:24:f3:c3:0d:7c:bf:d
a:31:6c:9d:22:e6:49:3d:46:


a1:81:6c:6f:33:b5:95:02:db:e0:3c:da:9b:7c:0d:03:


57:3b:e9:43:a3:12:01:43:4e:23:e3:2c:b0:45:06:a3:



06:ef:67:0b:23:ee:98:5
c:31:66:ce:c1:8
0:3f:a1:a6:



f9:e9:fc:d2:38:ed:48:78
:a8:49:97:15:72:9a:c5:f2:


39:0b:ae:a5:18:fa:
ac:b0:4e
:7a:13:55:e1:65:c1:3a:


b5:35:c6:b6:92:f6:52:23:7e:f1:62:dc:56:39:d9:86:


7a:80:e2:ac:87:38
:8f:27:93:ba:95:88:a7:2f:d1:62:


a7:f7:61:c7:e7:8b:6f:0f:30:62:fc:b7:1b:c4:5c:7b:


85:90:07:03:92:92:be:31:1c:02:bb:3a:db:14:94:81:


ba:ef:71:60:ef:66:a0:c4:aa:b2:8b:fa:9f:f3:52:68:

Page
21

of
35




a8:a1:5c:81:d7:1a:02:76:df:32:5d:c1:8a:c0:1e:a8:


7d:db:56:9d:fb:3f:bd:f7:09:b5:be:6f:b4:b5:3e:49:


e3:e4:91:4c:08:e2:3a:bc:2c:ed:71:78:fb:3a:2d:f7


Exponent: 65537 (0x10001)


Signed Extensions
:


Name: Certificate Key Usage


Usages: Certificate Signing


CRL Signing



Name: Certificate Basic Constraints


Data: Is a CA with no maximum path length.



Name: Subject Info Access


Data: Sequence {


Sequence {


SIA CA Repository


[6]

Page
22

of
35



ldap://dcomdir1.managed.entrust.com/ou=DComRootCA,ou=


Certification%20Authorities,o=Entru
st,c=US?crossCerti


ficatePair;binary


}


Sequence {


SIA CA Repository


[6]


http://dcomweb1.managed.entrust.com/SIA/CAcertsIssued



ByDComRootCA.p7c


}


}



Name: Certificate Type


Data: <SSL CA,S/MIME CA,ObjectSigning CA>



Name: CRL Distribution Points


URI: "ldap://dcomdir1.managed.entrust.com/ou=DComRootCA,ou=Certif

Page
23

of
35



ication%20Authorities,o=Entrust,c=US?certificateRevocationLis


t;binary"


URI: "http://dcomweb1.managed.entrust.com/CRLs/DComRootCA.crl"


Directory Name: "CN=CRL1,OU=DComRootCA,OU=Certification Authoriti


es,O=Entrust,C=US"



Name: Certificate Private Key Usage Period


Not Before: Fri Sep 05 01:43:37 2008


Not After : Wed Sep 05 02
:13:37 2018



Name: Certificate Authority Key Identifier


Key ID:


87:59:81:63:52:45:5e:c0:b0:df:d1:c8:e9:b9:75:38:


10:2e:de:d9



Name: Certificate Subject Key ID


Data:

Page
24

of
35




87:59:81:63:52:45:5e:c0:b0:df:d1:c8:e9:b9:75:38:


10:2e:de:d9



Name: OID.1.2.840.113533.7.65.0


Data: Sequence {


1b:08:56:37:2e:31:3a:34:2e:30


90


(4 least significant bits unused)


}



Signature Algorithm: PKCS #1 SHA
-
1 With RSA Encryption


Signature:



5d:73:ba:64:3f:67:ff:c8:ad
:fe:19:ec:99:ae:0a:12:


12:32:df:4d:81:f4:c0:aa:c3:96:f4:96:98:36:93:e9:


1f:25:77:2d:78:3e:d0:eb:02:36:10:c1:81:7b:26:f7:



db:b3:d2:b0:ef:ba:23:89:5
d:08:82:1e:b6:22:bc:7b:


26
:62:bb:34:06:5f:db:56:f9:cb:4a:5
8:2a:54:01:33:

Page
25

of
35



9d:a9:37:c6:4f:11:aa:fb:66:1a:88:97:90:bc:58:b4:


91:6d:88:25:6b:45:a
b:f1:ef:2c:d9:bb:6d:60:b1:fd:


45:ee:d3:8f:46:43:e3:d1:57:e2:13:e0:b8:ea:d9:c3:


7f:40:3c:17:3f:dd:ec:26:84:a4:e8:ee:e7:9c:4e:f0:


56:21:70:ba:94:4f:e4:7f:ff:6d:36:9b:e1:98:8f:a8:


4c:49:c7:87:05:58:82:0a:ac:3b:c2:13:68:19:ff:54
:


c6:a0:73:34:51:b5:8c:df:f5:fd:4a:46:78:12:a4:fe:



5e:72:7c:51:e8:70:06:03:35
:c3:6a:d2:b6:6c:b8:50:


e9:c4:85:dd:eb:08:65:cf:79:28:33:86:8b:28:aa:ca:


b6:85:04:cf:ff:14:42:56:d5:bd:04:d1:77:c4:a7:0c:


e9:1a:e2:a4:42:ea:87:b4:ee:ca:02:aa:16:c0:ce:c5


Fingerprint (MD5):


08:66:80:E5:BB:E5:88:F3:EF:95:4E:28:9E:50:64:C5


Fingerprint (SHA1):


FA:FB:80:0E:A2:2B:4F:EC:C8:82:E3:B6:2B:CA:3F:47:FD:04:7A:C5



Certificate Trust Flags:

Page
26

of
35



SSL Flags:


Valid CA


Trusted CA


Email Flags:


Object Signing Flags:

certutil
-
L
-
n

entrust
-
cross


-
d /opt/fipsdb

Sample Output generated:

If the certificates are
not found
, you will receive a message similar
to the fol
lowing:

certutil: Could not find: me
-
cross

: security library: bad database.

If the certificates are
found
, you will receive a message similar to the following:

Certificate:


Data:


Version: 3 (0x2)


Serial Number: 1220591185 (0x48c0be51)


Signature Algorithm: PKCS #1 SHA
-
1 With RSA Encryption


Issuer: "OU=DComRootCA,OU=Certification Authorities,O=Entrust,C=US"

Page
27

of
35



Validity:


Not Before: Wed Feb 10 19:09:03 2010



Not After : Wed Sep 05 02:13:37 2018


Subject: "OU=Entrust NFI Test Shared Service Provider,OU=Certificatio


n Authorities,O=Entrust,C=US"


Subject Public Key Info:


Public Key Algorithm: PKCS #1 RSA Encryption


RSA Public Key:


Modulus:


d4:4c:f8:f7:5c:0a:5c:1d:90:1e:9d:62:e9:fb:b7:f8:


ff:03:eb:b2:39:32:a2:a5:4d:4f:a1:de:60:28:e6:57:


66:53:78:ba:7f:79:bf
:03:d
8:8e:e1:e8:40:66:da:
5a:


2c:47:46:93:fc:f9:f0:66:0d:07:8f:99:6f:f1:cb:90:


0d:88:8
0:96:2f:00:09:81:e3:5d:67:5e:23:ce:28:fc:



a3:42:91:c8:c8:51:67
:82:4a:7d:ae:71:b2:2d:0a:92:


72:c8:8d:c0:f7:f7:8b:d8:4
8:d7:c1:8c:37:dc:98:87:


b3:59:d9:df:6f:b7:b8:53:ad:46:fd:48:86:ee:1d:b6:

Page
28

of
35



c6:07:0d:cb:df:e6:81:33:01:91:5c:fe:24:98:a6:7a:



a8:fb:43:86:18:d4:4b:e
f:68:b0:99:18:bc:0b:52:20:


36:dc:da:52:df:9b:c1:b2:54:da:c9:48:9b:bb:df:a5:


4c:c7:ee:d3:03:3f:24:ac:b8:47:9f:f0:58:ac:4c:62:


ba:43:22:70:2f:37:b3:5d:84:ea:83:52:c1:0a:41:8c:


7e:66:fe:ec:dd:7d:b3:ae:52:fa
:70:0e:7e:2b:a6:01:


f0:f7:7f:fe:d8:74:64:19:b8:c3:37:c5:d0:f8:c5:a6:


64:44:fb:2e:d7:12:79:a2:63:a8:d3:fe:00:5f:da:69


Exponent: 65537 (0x10001)


Signed Extensions:


Name: Certificate
Key Usage


Critical: True


Usages: Certificate Signing


CRL Signing



Name: Certificate Policies


Data:

Page
29

of
35



Policy Name: OID.2.16.840.1.114027.200.3.10.10.1.1


Policy

Name: OID.2.16.840.1.114027.200.3.10.10.1.2


Policy Name: OID.2.16.840.1.114027.200.3.10.10.1.3


Policy Name: OID.2.16.840.1.114027.200.3.10.10.1.4


Policy Name: OID.2.16.840.1.114027.200.3.10.10.1.5




Name: Certificate Basic Constraints


Critical: True


Data: Is a CA with no maximum path length.



Name: Authority Information Access


Method: PKIX CA issuers access method


Location:


URI: "http://dcomweb1.managed.entrust.com/AIA/CertsIssuedToDC


omRootCA.p7c"


Method: PKIX CA issuers access method


Location:

Page
30

of
35



URI: "ldap://dcomdir1.managed.entrust.com/ou=DComRootCA,
ou=Ce


rtification%20Authorities,o=Entrust,c=US?cACertificate;bi


nary,crossCertificatePair;binary"


Method: PKIX Online Certificate Status Protocol


Location:


URI: "http://nfitest
ocsp.managed.entrust.com/OCSP/EMSNFITestR


ootCAResponder"



Name: CRL Distribution Points


URI: "http://dcomweb1.managed.entrust.com/CRLs/DComRootCA.crl"


URI: "ldap://dcomdir1.managed.entrust.com/ou=DCo
mRootCA,ou=Certif


ication%20Authorities,o=Entrust,c=US?certificateRevocationLis


t;binary"


Directory Name: "CN=CRL1,OU=DComRootCA,OU=Certification Authoriti


es,O=Entrust,C=US"



Name: Certificate Authority Key Identifier

Page
31

of
35



Key ID:


87:59:81:63:52:45:5e:c0:b0:df:d1:c8:e9:b9:75:38:


10:2e:de:d9



Name: Certificate Subject Key ID


Data:


4c:98:d0
:c9:96:7d:04:97:66:7d:6c:ad:8d:3c:a5:0c:


5c:69:7d:8c



Signature Algorithm: PKCS #1 SHA
-
1 With RSA Encryption


Signature:


73:a5:af:7a:38:56:11:04:c3:37:fd:80:b6:53:f4:72:


af:10:2a:16:fe:31:c4:b2:82:38:74:3e:d2:1e:03:75
:


ff:8e:0e:90:23
:65:92:e5:48:9b:5e:93:23:9b:37:0f:


60:3d:18:90:d8:4e:86:58:d2:c9:9b:7c:54:05:a8:6c:



77:dc:84:62:8e:71:47:2d:67
:c2:b7:69:a3:9f:ba:7e:



b0:46:0d:9b:5b:88:ff:a5:57
:df:58:39:8f:56:e3:81:

Page
32

of
35



3e:90:c8:dc:a0:55:
59:a8:b1:7b:87:10:8f:18:25:37:


ab:f1:3f:0d:15:54:ed:53:24:8b:73:d3:c8:46:e6:1c:


0d:eb:fe:c3:8b:da:f8:b1:11:5c:db:78:68:5c:22:80:


73:41:1d:33:1e:a5:a7:16:15:fd:45:95:bb:c6:fe:60:


86:97:72:57:0a:82
:fb:4e:3c:9d:c2:81:0a:62:87:d4:


a4:22:53:62:e7:a1:09:79:37:0a:a6:8d:46:4f:bd:61:


22:bc:3f:ff:79:f5:48:15:5f:00:03:3e:df:76:1f:b4:


0a:8c:78:7b:6b:90:62:a3:48:66:de:18:c0:83:3d:91:



2f:51:57:d1:33:a3:7f:29:f2
:66:86:d4:fa:89:c4:
91:


60:34:b8:88:73:8a:89:12:5a:b0:ba:da:33:d1:9d:7e


Fingerprint (MD5):


E8:70:7E:9E:43:E9:D5:A2:13:C1:A6:C9:34:83:AA:D6


Fingerprint (SHA1):


63:DD:EF:39:50:07:C8:78:BB:C6:3F:C2:97:36:A5:EC:E9:1B:10:89



Certificate Trust Fl
ags:


SSL Flags:

Page
33

of
35



Valid CA


Trusted Client CA


Email Flags:


Object Signing Flags:

Step 5:

Use the java keytool command to ensure the NSS database has the server certs installed correctly

keytool
-
keystore NONE
-
s
toretype PKCS11

list


Sample Output generated
:

Enter keystore password:


Keystore type: PKCS11

Keystore provider: SunPKCS11
-
NSSfips


Your keystore contains 0 entries

Step
6
:

Verify certificate chain is correct

vfychain
-
d /nhin
/fipsdb gateway


If the

chain is correct
, the message with be similar to:

Enter Password or Pin for

NSS FIPS 140
-
2 Certificate DB

:

Page
34

of
35


Chain is good!

If the chain is

not correct, the
message will be similar to:

Chain is bad
,
-
8172 = Peer's certificate issuer has been marked as not

trusted by the user.

PROBLEM WITH THE CERT CHAIN:

CERT 2. Entrust [Certificate Authority]:


ERROR
-
9172: Peer’s certificate issuer has been marked as not trusted by the user.


OU=DComRootCA,OU=Certification Authorities,O=Entrust,C=US

Step
7
:

Enable
FIPS Mode

modutil
-
fips true
-
dbdir /opt/fipsdb


Sample Output generated:

WARNING: Performing this operation while the browser is running could cause

corruption of your security databases. If the browser is currently running,

you

should exit browser before continuing this operation. Type

'q <enter>' to abort, or <enter> to continue:


FIPS mode

enabled.


Page
35

of
35


=============================================================================

= Changes required on the Non
-
FIPS Gateway
machine





=

=============================================================================


Step 1:

Non
-
FIPS Gateway needs to upgrade to JDK 1.6.0_22
(interoperable mode

is default)

Step
2
:

Need to

limit SSL protocols to “TLSv1” only

in the App Server Configuration

-
Dhttps.protocols=TLSv1

Step
3
:

In the App Server Configuration (e.g. GlassFish domain.xml),
change https listener for SSL

ssl3
-
enabled=’false’


Backup
references:

Details on the commands used in can be found at:

http://www.mozilla.org/projects/security/pki/nss/tools

http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html

http://www.mozilla.or
g/projects/security/pki/nss/tools/certutil.html