CONNECT Federal Information Processing Standard (FIPS) 140-2 Compliance Manual

wanderooswarrenAI and Robotics

Nov 21, 2013 (3 years and 9 months ago)

470 views











CONNECT


Federal Information Processing Standard (FIPS) 140
-
2

Compliance Manual

Version
3.0

CONNECT Release
3.0

1
5

June

2010





CONNECT_
FIPS
_
Manual

i

Release 3.0

6/15/10


REVISION HISTORY


REVISIO
N

DATE

DESCRIPTION

1.0

05 January 2010

Initial Release

2.0

18 March 2010

Updated for Release 2.4

2.1

12 April 2010

Updated post 2.4 release. Updated
hyperlink in section 6.1 and added additional
step to section 5.3.2.

2.2

21 April 2010

Updated SSL
Certificate information in
section 5.3.4 (e).

3.0

15

June 2010

Updated for Release 3.0






































CONNECT_
FIPS
_
Manual

ii

Release 3.0

6/15/10


TABLE OF CONTENTS


1.0

INTRODUCTION

................................
................................
................................
...

1

1.1

P
URPOSE

................................
................................
................................
.............

1

1.2

S
COPE

................................
................................
................................
.................

1

1.3

D
OCUMENT
D
ESCRIPTION

................................
................................
.....................

1

2.0

REFERENCED DOCUMENTS

................................
................................
..............

1

3.0

OPEN SOURCE SOLUTION
S

................................
................................
..............

2

4.0

OTHER SITES

................................
................................
................................
......

3

5.0

FIPS SOLUTION WITH N
SS 3.12.4
................................
................................
......

3

5.1

NIST

C
ERTIFICATION

................................
................................
............................

3

5.2

I
NTEGRATION INTO
CONNECT

................................
................................
.............

3

5.3

S
TEPS
R
EQUIRED TO
C
ONFIGURE
G
LASSFISH FOR
FIPS

C
OMPLIANCE WITH
NSS

.....

3

5.3.1

D
OWNLOAD THE
M
OZILLA
\

NSS

M
ODULE

................................
..............................

3

5.3.2

C
REATE
G
LASSFISH
D
OMAIN WITH
E
NTERPRISE
P
ROFILE

................................
........

4

5.3.3

L
OAD
T
RUSTED
C
ERTIFICATES INTO
NSS

S
TORES AND
S
ET
FIPS

M
ODE

..................

7

5.3.4

C
ONFIGURE
G
LASSFISH TO
U
SE THE
NSS

S
TORES

................................
.................

8

5.3.5

D
EPLOY
CONNECT

A
PPLICATIONS TO NSSDO
MAIN

................................
..............

11

5.3.6

V
ERIFY
W
HETHER
G
LASSFISH IS
R
UNNING WITH
NSS

K
EYSTORES

.........................

11

6.0

IMPORT CERTIFICATES
TO NSS

................................
................................
.....

11

6.1

P
REREQUISITES

................................
................................
................................
..

11

6.2

T
RANSFER OF THE
C
ERTIFICATES

................................
................................
........

12

6.3

S
ELF
-
C
ERTIFICATE

................................
................................
.............................

12

6.3.1

E
XPORT
DER

ENCODED CERTIFICATES

FRO
M EXISTING
JKS

STORES

......................

12

6.3.2

T
RANSFORM INTO
PEM

ENCODED CERTIFICATES

................................
..................

12

6.3.3

T
RANSFORM INTO
PKCS12

FORMATTING

................................
.............................

12

6.3.4

I
MPORT INTO THE
NSS

S
TORES

................................
................................
...........

13

6.4

T
RUSTED
C
ERTIFICATES

................................
................................
.....................

13

6.4.1

E
XPORT
DER

ENCODED CERTIFICATES

FROM EXISTING
JKS

STORES

......................

13

6.4.2

T
RANSFORM INTO
PEM

ENCODE
D CERTIFICATES

................................
..................

13

6.4.3

I
MPORT INTO THE
NSS

S
TORES

................................
................................
...........

13

6.5

E
NGAGE THE
FIPS

M
ODE

................................
................................
...................

13

APPENDIX A

................................
................................
................................
...............

A
-
1

A.1

CREATE AND USE SELF
-
SIGNED CERTIFICATES
................................
.......

A
-
2

A.1.1

G
ENERAL
I
NFORMATION

................................
................................
..................
A
-
2

A.1.2

I
NTERCHANGE
S
CENARIO

................................
................................
................
A
-
2

CONNECT_
FIPS
_
Manual

iii

Release 3.0

6/15/10


A.1.3

SC065633

-

T
RUST
Y
OURSELF

................................
................................
.......
A
-
3

A.1.4

SC075254

-

T
RUST
Y
OURSELF

................................
................................
.......
A
-
3

A.1.5

I
NTERCHANGE
-

T
RUST THE OTHER GUY

................................
...........................
A
-
3

A.1.6

I
NSTALL THE
N
EW
K
EYSTORE AND
T
RUSTSTORE TO
G
LASSFISH
(
ON EACH
SC065633

AND
SC075254)

................................
................................
.......................
A
-
4

A.1.7

NSS

................................
................................
................................
.............
A
-
4


CONNECT_
FIPS
_
Manual

1

Release 3.0

6/15/10


1.0

INTRODUCTION

1.1

Purpose

The FIPS 140
-
2 is a government standard that provides a benchmark for how to
implement cryptographic software (
http://technet.microsoft.com/en
-
us/library/cc180745.aspx
). For the CONNECT Solution, this standard is being met to
ensure that the CONNECT Gateway is FIPS 140
-
2 compliant.

Sun in conjunction with RedHat received a NIST certificate of compliance in 2007:
http://csrc.nist.gov/groups/STM/cmvp/documents/140
-
1/1401val2007.htm#814

and is in
the process of achieving a 2009 certificate.

1.2

Scope

This document describes t
he CONNECT Gateway’s compliance to the Federal
Information Processing Standard (FIPS) 140
-
2.

1.3

Document Description

This document includes the following sections:



Section 1.0 Introduction



Section 2.0 Referenced Documents



Section 3.0 Open Source Solutions



Section 4.0 Other Sites



Section 5.0 FIPS Solution with NSS
3.12.4



Section 6.0 Import Certificates to NSS


2.0

REFERENCED DOCUMENTS

The following sites served as references in investigating the implementation of this
standard:



https://developer.mozilla.org/en/Windows_Build_Prerequisites



https://developer.mozilla.org/en/Windows_Build_Prerequis
ites#MozillaBuild



https://developer.mozilla.org/NSS_3.12.4_release_notes



ht
tps://developer.mozilla.org/en/NSS_reference/Building_and_installing_NSS/Bui
ld_instructions
http://forums.sun.com/thread.jspa?threadID=5379132



http://www.microsoft.com/express/download/#webInstall



http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thr
ead/thread/94
d05b904280b6ed#

CONNECT_
FIPS
_
Manual

2

Release 3.0

6/15/10




https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/sr
c/nss
-
3.12.4
-
with
-
n
spr
-
4.8.tar.gz



http://forums.sun.com/thread.jspa?threadID=5379132



http://developers.sun.com/appserver/reference/techart/keymgmt.html



http://ja
va.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.
html



http://www.java.net/blogs/kumarjayanti/



http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2



http://developers.sun.com/appserver/reference/techart/keymgmt.html



http://www.slproweb.com/products/Win32OpenSSL.html


3.0

OPEN SOURCE SOLUTION
S

Open
-
source solutions for meeting this compliance are required, and the following is a
list of open
-
source solutions
that were investigated:



\
#819 Crypto
\
\
™ Library
-

Contact was made with a Crypto++ consultant to
determine use of this package to supply the encryption. To summarize: the
compiled version of Crypto+
\
+ is what is certified, and it is copyrighted by Wei
Dai
. Therefore, to self build it and use it; it would not be certified.



The current version is
NSS 3.12.4 with NSPR 4.8,
and is
NIST
certified
.
The
binary files can be downloaded from here:

ftp://ftp.mozilla.org/pub/mozilla.org/security/ns
s/releases/NSS_3_12_4_RTM/


It

is recommended that these be used since this is what is currently certified.



\
#775 IBM® Crypto for C
-

This is the IBM version of the JRE and does not apply
to the Connect NHIN environment.



\
#733 OpenSSL FIPS Object Module
-

This is the only open source product that
has also achieved NIST certification for
2009
. It is also C
\

UNIX based; and can
be self
-
bui
lt and retain certification status. It also requires that Perl and Visual
C+
\
+ be downloaded as well. While integration with Java might be possible, it is
not a common pathway for this product.

Additional sites are listed in section 4.0.

CONNECT_
FIPS
_
Manual

3

Release 3.0

6/15/10


4.0

OTHER SITES



http://forums.sun.com/thread.jspa?threadID=5379132



http://developers.sun.com/appserver/reference/techart/keymgmt.html



http://java.sun
.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.
html



http://www.java.net/blogs/kumarjayanti/



http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2



http://developers.sun.com/appserver/reference/techart/keymgmt.html

5.0

FIPS SOLUTION WITH N
SS
3.
12.4

5.1

NIST

Certification

The NSS Cryptographic Module version 3.1
2
.4 met FIPS 140
-
2 level compliance in
20
10
.
Certification #
1280
. Refer to this document for the details of that certification.

T
o use the NSS module, download the NSS 3.1
2
.4 binaries and configure them for use.

5.2

Integration into CONNECT

The current Glassfish Application Server v2.1 does not contain the FIPS compliant
Mozilla
\

NSS release; however, this can be integrated into the server. There are
three
(3)

different profiles that are available for use in the Glassfish Application Server.

The
"enterprise" profile is the one that has security enhancements including an initial set
-
up
of the NSS stores when creating a domain using this profile. This
site
,
http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2

provides
more information on the usage of tho
se different profiles as they relate to Transport
Layer Security (TLS). It appears that Glassfish version 3 is moving to integrate in NSS
as well as Metro, but in the Glassfish 2.1 release, this integration process requires
moving libraries into Glassfish
lib and relying on the tools available through the Mozilla
\

NSS download.

5.3

Steps Required to Configure Glassfish for FIPS Compliance with NSS

5.3.1

Download the Mozilla
\

NSS Module

1.

Create the C:
\
Mozilla directory.

2.

Download and unzip into C:
\
Mozilla the
NSS
3.12.4

and
NSPR

4.
8

(included in
NSS 3.12.4 zip file)

selecting the OPT version (optimized).

Note that for windows
machines, these are located under the msvc6.0 directory and that the
WINNT5.
1
_OPT.OBJ selection works for XP and Vista machines.

3.

Copy the contents of C:
\
Mozilla
\
nss
-
3.12.4
\
lib into %AS_HOME%
\
lib, where
AS_HOME is the Glassfish home d
irectory (e.g.,
CONNECT_
FIPS
_
Manual

4

Release 3.0

6/15/10


AS_HOME=C:
\
GlassFishESB
\
glassfish for Glassfish ESB version). Use the
below commands in a command prompt windows to copy.


copy /Y C:
\
Mozilla
\
nss
-
3.12.4
\
lib
\
*.* %AS_HOME%
\
lib
\

5.3.2

Create Glassfish Domain with Enterprise Profile

1.

Set the
asadmin environment variables to create a domain with the enterprise
profile.

a.

Navigate to %AS_HOME%
\
config.

b.

Edit asadminenv.conf to set:

AS_ADMIN_PROFILE=enterprise

c.

Edit asenv.conf
(asenv.bat for Windows)
to set:

AS_NSS=AS_HOME
\
lib (replacing AS_HOME with

the glassfish home
directory as asenv.conf may not identify the AS_HOME environment
variable).

AS_NSS_BIN=C:
\
Mozilla
\
nss
-
3.12.4
\
bin, and

AS_ACC_CONFIG=AS_HOME
\
domains
\
nssdomain
\
config
\
sun
-
acc.xml
(nssdomain can be replaced with the domain name that you choose).


Change the following line:

set AS_ICU_LIB=C:
\
Sun
\
AppServer
\
bin

to

set AS_ICU_LIB=C:
\
Sun
\
AppServer
\
bin;C:
\
Sun
\
AppServer
\
lib

d.

Edit asant.bat (%AS_HOME%
\
bin) file in a te
xt editor and add
%AS_NSS% to ANT_OPTS java.library.path. You should already have
something like below:

"
-
Djava.library.path=%AS_INSTALL%
\
lib;%AS_ICU_LIB%;
%AS_NSS%
".
If %AS_NSS% Not present then add it.

e.

Edit asadmin.bat (%AS_HOME%
\
bin) file in a text edito
r and add
%AS_ICU_LIB%;%AS_NSS% to Path and java cmd. Sample is given
below:

set Path=%AS_INSTALL%
\
bin;%AS_ICU_LIB%;
%AS_NSS%
;%PATH%

"%AS_JAVA%
\
bin
\
java"
-
Dcom.sun.aas.instanceName=server
-
Djava.library.path="%AS_INSTALL%
\
bin";"%AS_ICU_LIB%";"
%AS_NSS
%
"
-
Dcom.sun.aas.configRoot="%AS_CONFIG%"

2.

Create the domain

a.

From a new command prompt add glassfish lib to the path

set Path=%AS_HOME%
\
lib;%AS_HOME%
\
bin;%PATH%

b.

Create the domain, remember the password (adminadmin) and accept the
default for the master passwo
rd

asadmin create
-
domain
--
adminport 4848
--
user admin
nssdomain

REPORTS:

Using port 4848 for Admin.

CONNECT_
FIPS
_
Manual

5

Release 3.0

6/15/10


Using default port 8080 for HTTP Instance.

Using default port 7676 for JMS.

Using default port 3700 for IIOP.

Using default port 8181 for HTTP_SSL.

Using d
efault port 3820 for IIOP_SSL.

Using default port 3920 for IIOP_MUTUALAUTH.

Using default port 8686 for JMX_ADMIN.

Domain being created with profile:enterprise, as specified by variable
AS_ADMIN_PROFILE in configuration file.

Security Store uses: NSS

Domai
n nssdomain created


3.

Verify default NSS stores

a.

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
modutil
-
list
-
dbdir
%AS_HOME%
\
domains
\
nssdomain
\
config

REPORTS:

Listing of PKCS #11 Modules

-----------------------------------------------------------

1. NSS Internal PKCS #11 Mo
dule

slots: 2 slots attached

status: loaded

slot: NSS Internal Cryptographic Services

token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services

token: NSS Certificate DB

-----------------------------------------------------------


b.

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
certutil
-
L
-
d
%AS_HOME%
\
domains
\
nssdomain
\
config


Contents may vary according to system, but should include s1as.


REPORTS:


verisignclass1ca

T,c,c

thawtepersonalpremiumca

T,c,c

baltimorecodesigningca

T,c,c

verisignclass2g2ca

T,c,c

verisignclass3g3ca

T,c,c

entrustglobalclientca

T,c,c

CONNECT_
FIPS
_
Manual

6

Release 3.0

6/15/10


entrustsslca

T,c,c

verisignclass3g2ca

T,c,c

thawtepremiumserverca

TG,c,c

entrust2048ca

T,c,c

valicertclass2ca

T,c,c

gtecybertrust5ca

T,c,c

equifaxsecureebusinessca1

T,c,c

verisignclass1g3ca

T,c,c

godaddyclass2ca

T,c,c

thawtepersonalbasicca

T,c,c

verisignclass1g2ca

T,c,c

verisignclass2g3ca

T,c,c

equifaxsecureca

T,c,c

entrustclientca

T,c,c

verisignserverca

TG,c,c

geotrustglobalca

T,c,c

equifaxsecureebusinessca2

T,c,c

s1as

u,u,u

verisignclass3ca

TG,c,c

verisignclass2ca

T,c,c

CONNECT_
FIPS
_
Manual

7

Release 3.0

6/15/10


gtecybertrustglobalca

TG,c,c

entrustgsslca

T,c,c

thawtepersonalfreemailca

T,c,c

thawteserverca

TG,c,c

baltimorecybertrustca

T,c,c

starfieldclass2ca

T,c,c

equifaxsecureglobalebusinessca1

T,c,c

5.3.3

Load Trusted Certificates into NSS Stores and Set FIPS Mode

1.

Following the
Create and Use Self
-
Signed Certificates
procedure (Appendix A) or
by requesting an NHIN certificate from the NHIN Certificate Authority. The
JKS
keystores in a previous domain would have been set up for use by the
CONNECT NHIN Gateway in creating and verifying exchanged certificates..

2.

These created certificates now need to be added to the NSS stores. The steps to
perform this import are include
d in section 6.0. If a certificate request has been
generated directly from the NSS stores, this import from the JKS stores is not
necessary.

3.

Set the FIPS mode: (It will ask that you exit the browser here)

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
modutil
-
fips true
-
dbd
ir
%AS_HOME%
\
domains
\
nssdomain
\
config

REPORTS:

WARNING: Performing this operation while the browser is running could cause

corruption of your security databases. If the browser is currently running,

you should exit browser before continuing this operation.

Type

'q <enter>' to abort, or <enter> to continue:

Using database directory ....

FIPS mode enabled.

4.

Verify contents as:

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
modutil
-
list
-
dbdir
%AS_HOME%
\
domains
\
nssdomain
\
config

REPORTS:

Listing of PKCS #11 Modules

----------------
-------------------------------------------

1. NSS Internal FIPS PKCS #11 Module

slots: 1 slot attached

CONNECT_
FIPS
_
Manual

8

Release 3.0

6/15/10


status: loaded

slot: NSS FIPS 140
-
2 User Private Key Services

token: NSS FIPS 140
-
2 Certificate DB

-----------------------------------------------------
-----

5.3.4

Configure Glassfish to Use the NSS Stores

1.

Create an NSS configuration file
%AS_HOME%
\
domains
\
nssdomain
\
config
\
nss.cfg containing:

name=NSS

nssLibraryDirectory=%AS_HOME%
\
lib (Please use the actual absolute path
instead of environment variabl
es)

nssSecmodDirectory=%AS_HOME%
\
domains
\
nssdomain
\
config

nssModule=fips

showInfo=
true

nssUseSecmod=
true

disabledMechanisms = {


CKM_MD2_RSA_PKCS


CKM_MD5_RSA_PKCS


CKM_DSA_KEY_PAIR_GEN


CKM_EC_KEY_PAIR_GEN


CKM_RC2_KEY_GEN


CKM_RC2_ECB


CKM_RC2_CBC


CKM_RC2_MAC


CKM_RC2_MAC_GENERAL


CKM_RC2_CBC_PAD


CKM_RC4_KEY_GEN


CKM_RC4


CKM_DES_KEY_GEN


CKM_DES_ECB


CKM_DES_CBC


CKM_DES_MAC


CKM_DES_MAC_GENERAL


CKM_DES_CBC_PAD


CKM_DES2_KEY_GEN


CKM_DES3_KEY_GEN


CKM_DES3_MAC


CKM_DES3_MAC_GENERAL


CKM_CDMF_KEY_
GEN


CKM_CDMF_ECB


CKM_CDMF_CBC


CKM_CDMF_MAC


CKM_CDMF_MAC_GENERAL


CKM_CDMF_CBC_PAD


CKM_AES_KEY_GEN


CKM_AES_MAC

CONNECT_
FIPS
_
Manual

9

Release 3.0

6/15/10



CKM_AES_MAC_GENERAL


CKM_MD2


CKM_MD2_HMAC


CKM_MD2_HMAC_GENERAL


CKM_MD5


CKM_MD5_HMAC


CKM_MD5_HMAC_GENERAL


CKM_SSL3_KEY_AND_MAC_DERIVE


CKM_SSL3_MD5_MAC


CKM_SSL3_SHA1_MAC


CKM_MD5_KEY_DERIVATION


CKM_MD2_KEY_DERIVATION


CKM_PBE_MD2_DES_CBC


CKM_PBE_MD5_DES_CBC


CKM_PBE_SHA1_DES3_EDE_CBC


CKM_PBE_SHA1_DES2_EDE_CBC


CKM_PBE_SHA1_RC2_40_CBC


CKM_PBE_SHA1_RC2_128_CBC


CKM_PBE_SHA1_RC4_40


CK
M_PBE_SHA1_RC4_128


CKM_PBA_SHA1_WITH_SHA1_HMAC}


2. Modify the domain.xml file to use the NSS certificates

a.

There are two instances of "</security
-
service>". Before each instance add
this line:

<property name=
"NSS Certificate DB"

value=
"${com.sun.aas.instanceRoot}/config/nss.cfg"
/>

b.

One can also change the logging level on <module
-
log
-
levels> security to
"FINE" instead of "INFO" (this is an optional step and only required for
additional debug with regards to security issues).

c.

To tur
n off the security manager, comment out or remove this line:

<!
--

<jvm
-
options>
-
Djava.security.manager</jvm
-
options>
--
>

d.

There are two areas now to specify jvm
-
options for NHIN. Verify that all
occurrences of s1as have been changed to refer to the self
-
signed
certificate or the NHIN certificate.

Make sure the <jvm
-
options> in
domain.xml look like the <jvm
-
options> shown
below
.



<!
--

NHIN
--
>


<jvm
-
options>
-
Xmx
1320
m</jvm
-
options>


<jvm
-
options>
-
XX:MaxPermSize=
128
m</jvm
-
options>


<
jvm
-
options>
-
XX:PermSize=
128
m</jvm
-
options>


<jvm
-
options>
-
Dcom.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace=
false
</jvm
-
options>


<jvm
-
options>
-
Dxml.catalog.ignoreMissing=
true
</jvm
-
options>


<jvm
-
options>
-
Dcom.sun.enterpr
ise.security.httpsOutboundKeyAlias=internal</jvm
-
CONNECT_
FIPS
_
Manual

10

Release 3.0

6/15/10


options>


<jvm
-
options>
-
Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=
true
</jvm
-
options>


<jvm
-
options>
-
Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=
true

</jvm
-
options>



<jvm
-
options>
-
Djavax.enterprise.resource.xml.webservices.security.level=FINE</jvm
-
options>


<jvm
-
options>
-
Djavax.enterprise.resource.webservices.jaxws=FINE</jvm
-
options>


<jvm
-
options>
-
Dcom.sun.jbi.httpbc.enableClientAuth=
true
</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.keyStoreType=PKCS11</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.keyStore=NONE</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.keyStorePassword=changeit</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.trust
StoreType=PKCS11</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.trustStore=NONE</jvm
-
options>


<jvm
-
options>
-
Djavax.net.ssl.trustStorePassword=changeit</jvm
-
options>


<jvm
-
options>
-
DSERVER_KEY_ALIAS=internal</jvm
-
options>


<jvm
-
options>
-
D
CLIENT_KEY_ALIAS=internal</jvm
-
options>


<jvm
-
options>
-
Dhttps.protocols=TLSv1</jvm
-
options>


<jvm
-
options>
-
Dhttps.cipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES
_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WIT
H_
3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH
E_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC
_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_1
28_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WI
TH_AES_
128_CBC_SHA</jvm
-
options>


<jvm
-
options>
-
Dlog4j.configuration=file:/C:/projects/NHINC/Current/Product/Production/Common/Properti
es/log4j.properties</jvm
-
options>



e.

There exists an <ssl> element in the <http
-
listener> for each of the
<config>
elements. Doing a search for “<ssl” in the domain.xml should
find 1 instance in the server
-
config <config> element and 1 instance in the
default
-
config <config> element. Each of these <ssl> elements should be
modified to specify to use only the TLS proto
col and define the cipher
suites used.



<ssl cert
-
nickname="gateway" client
-
auth
-
enabled="true" ssl2
-
enabled="false" ssl3
-

enabled="false" ssl3
-
tls
-
ciphers="+

TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_C

BC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_S
HA,+TLS_ECDH_ECDSA_WITH_A

ES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_ECD

SA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+T

LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128

_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_ED
E_CBC_SHA,+TLS_ECDHE_RSA

_WITH_3DES_EDE_CBC_SHA " tls
-
enabled="true" tls
-
rollback
-
enabled="true"/>

CONNECT_
FIPS
_
Manual

11

Release 3.0

6/15/10



5.3.5

Deploy CONNECT Applications to nssdomain

Deploy
(
http://developer.connectopensource.org/display/NHINR30/Installations
)
the
applications to
nssdomain

(or the new domain name chosen in section 5.3.2) either
using ant scripts or through the NetBeans IDE.

1.

T
o use the ant script to deploy the applications to
n
ssdomain

instead of
domain1, modify C:
\
projects
\
NHINC
\
Current
\
Product
\
Install
\
settings.xml to set:

<property name=
"deployment.glassfish.domain.name"

value=
"
nssdomain
"
/>

NOTE: For a binary install, modify c:
\

NHINC
\
settins.xml

2.

To see this instance in the N
etBeans IDE.

a.

Go to the Services tab.

b.

Remove the domain1 service.

c.

Click on Servers to "Add Server".

d.

Name the new instance Glassfish V2 (NSS).


e.

Select "Register Local Default Domain" set the port 4848 and
nssdomain

and select the Enterprise profile.

5.3.6

Verify Whether Glassfish is Running with NSS Keystores

Open the Glassfish admin console using http://<host
-
name>:4848 and then accept the
certificate. At this time one should be able to view the certificate they have added to the
NSS keystores.

Another wa
y to validate the above steps is to open the Universal Client web application
in a browser and verify the certificate used. The construction of the SAML assertion
header can be validated through viewing the server.log when any secure
communication is invok
ed. The Universal Client's subject discovery feature invokes one
such communication and can be used to test the construction and extraction of the
SAML information while using the new NSS stores.

6.0

IMPORT CERTIFICATES
TO NSS

Given that previous JKS stores ar
e in use, use the procedures in sections 6.1 through
6.5 to export desired certificates and import them into the NSS stores for use in the
Glassfish Enterprise profile.

6.1

Prerequisites

Obtain the following required software:

1.

Download
keyexport.zip
and expand it into C:
\
keyexport directory.

2.

Download and install
Visual C++ 2008 Redistributables
from
http://www.slproweb.com/products/Win32OpenSSL.html

3.

Download and install
Win32 OpenSSL v0.9.8l
from
http://www.slproweb.com/products/Win32OpenSSL.html

to C:
\
openssl

CONNECT_
FIPS
_
Manual

12

Release 3.0

6/15/10


6.2

Transfer of the Certificates

If following the instructions on creating self
-
signed certificates, one will need the
"internal" certificate from the internal.jks and the trusted certificate from the machine
intended to be communicated with. In the
interchange scenario given in Appendix A
this
was given the alias name "SC075254". The procedure to transfer is slightly different in
that the self
-
certificate has an associated
private key whereas the trusted
-
other
-
certificate does not.

6.3

Self
-
Certificate

6.3.1

Export DER encoded certificates from existing JKS stores

The X.509 certificates existing in the JKS keystores can be exported in DER
(Distinguished Encoding Rules) Encoded
Binary formats.



Export the Self
-
Certificate

keytool
-
export
-
file internal.der
-
keystore internal.jks
-
storepass changeit
-
alias
internal

6.3.2

Transform into PEM encoded certificates

A PEM (Privacy Enhanced Mail) certificate is a Base64 encoded DER certi
ficate and is
enclosed between

"
-

-

-

BEGIN CERTIFICATE
-

-

-
"

and

"
-

-

-

-

END CERTIFICATE
-

-

-

-
"

lines.



Obtain the Self
-
Certificate PEM

c:
\
openssl
\
bin
\
openssl x509
-
in internal.der
-
inform DER
-
out internal.PEM
-
outform PEM



Obtain the Private Key f
or the Self
-
Certificate using the KeyExport tool

java
-
cp c:
\
keyexport
\
keyexport.jar com.sun.xml.wss.tools.KeyExport
-
keyfile
internalkey.PEM
-
alias internal
-
keystore internal.jks
-
outform PEM
-
storepass
changeit
-
keypass changeit



append the contents of
internalkey.PEM to the internal.PEM file

6.3.3

Transform into PKCS12 formatting

PKCS #12 (Public Key Cryptography Standard #12) is an industry format that is suitable
for transport of a certificate and its associated private key. It is a form of Personal
Information Exchange format (PFX).



Convert the Self
-
Certificate to PKCS #12 format

c:
\
openssl
\
bin
\
openssl pkcs12
-
export
-
in internal.PEM
-
out internal.p12
-
name
"internal"

CONNECT_
FIPS
_
Manual

13

Release 3.0

6/15/10


6.3.4

Import into the NSS Stores

The
pk12util
allows one to import certificates and keys from pkcs #12 files into NSS
stores.



Include the nss and nspr libraries placed in glassfish
\
lib in the path environment
v
ariable

set Path=%AS_HOME%
\
lib;%PATH%


where %AS_HOME% is the Glassfish
home directory



Import the Self
-
Certificate

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
pk12util
-
i internal.p12
-
n internal
-
d
%AS_HOME%
\
domains
\
nssdomain
\
config

6.4

Trusted Certificates

The procedure fo
r transferring any trusted certificates into the NSS stores is similar to
that given above for the self
-
certificate.

6.4.1

Export DER encoded certificates from existing JKS stores



Export the trusted certificate

keytool
-
export
-
file SC075254.der
-
keystore
cacerts.jks
-
storepass changeit
-
alias SC075254

6.4.2

Transform into PEM encoded certificates



Transform the trusted certificate into a PEM

c:
\
openssl
\
bin
\
openssl x509
-
in SC075254.der
-
inform DER
-
out SC075254.PEM
-
outform PEM

6.4.3

Import into the NSS S
tores

The trusted other certificate is only composed of a certificate and is not paired with a
Private Key.

The
certutil
can be used to add it to the NSS stor
e.



Import the Trusted Other Certificate

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
certutil
-
A
-
n "sc075254"
-
t "T,c,c"
-
i
C:
\
GlassFishESB
\
Certificates
\
SC075254.PEM
-
d
%AS_HOME%
\
domains
\
nssdomain
\
config



Verify the certificate

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
certutil
-
L
-
n
"sc075254"
-
d
%AS_HOME%
\
domains
\
nssdomain
\
config

6.5

Engage the FIPS Mode

Using
modutil
enable the FIPS 140
-
2 Compliance mode

C:
\
Mozilla
\
nss
-
3.12.4
\
bin
\
modutil
-
fips true
-
dbdir
%AS_HOME%
\
domains
\
nssdomain
\
config

CONNECT_
FIPS
_
Manual

A
-
1

Release 3.0

6/15/10





APPENDIX A

CONNECT_
FIPS
_
Manual

A
-
2

Release 3.0

6/15/10


A.1

CREATE AND USE SELF
-
SIGNED CERTIFICATES


A.1.1

General
Information

A digital certificate contains



A public key.



The "distinguished
-
name" information of the entity (person, company, or so on)
whose certificate it is. This entity is referred to as the certificate
subject
, or
owner
.
The distinguished
-
name
information includes the following attributes (or a
subset): the entity's name, organizational unit, organization, city or locality, state
or province, and country code.



A digital signature. A certificate is signed by one entity, the
issuer
, to vouch for
t
he fact that the enclosed public key is the actual public key of another entity, the
owner
.



The distinguished
-
name information for the signer (issuer).

Sometimes a certificate is
self
-
signed
, that is, signed using the private key
corresponding to the publi
c key in the certificate; the issuer is the same as the subject. It
is reasonable to self
-
sign a certificate if the recipient already trusts the sender.

Certificates of entities that are trusted are typically imported into the
keystore

as
"
trusted certificates
." The public key in each such certificate may then be used to
verify signatures generated using the corresponding private key.

For development purposes it is reas
onable to interchange self
-
signed certificates
between machines that will be hosting various Web Services that will be requested by
Web Services from the other machine. To do this:



Create the keystore for the private internal key



Export the certificate tha
t will authenticate the internal key



Import the trusted certificates into the truststore



Provide these certificates to Glassfish to use for authentication purposes

Java provides the keytool utility to assist in these operations. For full details reference
the
tooldocs
.

A.1.2

Interchange Scenario

A machine identified as SC065633 on the cs.myharris.net hosts several Web Services.
In some cases a given Web Service will need to co
mmunicate with another Web
Service that is hosted on this same machine. In other cases it will need to communicate
with another Web Service that is hosted on another machine known as SC075254. To
establish the keystores and truststores needed to provide th
is flexibility the following
steps are to be taken on the given machines.

CONNECT_
FIPS
_
Manual

A
-
3

Release 3.0

6/15/10


A.1.3

SC065633
-

Trust Yourself



Back
-
up the installed versions of the cacerts.jks and the domain.xml in the
C:
\
GlassFishESB
\
glassfish
\
domains
\
domain1
\
config directory



Copy
cacerts.jks to a work directory where the certificate set
-
up will be performed



Create the internal keystore

o

keytool
-
genkey
-
keyalg RSA
-
keysize 1024
-
keystore internal.jks
-
keypass changeit
-
storepass changeit
-
validity 365
-
alias internal
-
dname
"cn=SC0
65633.cs.myharris.net"



Export the certificate

o

keytool
-
export
-
rfc
-
alias internal
-
file SC065633.cer
-
keystore internal.jks
-
keypass changeit
-
storepass changeit



Import the "self" certificate into the truststore

o

keytool
-
import
-
v
-
trustcacerts
-
alias S
C065633
-
file SC065633.cer
-
keystore cacerts.jks

A.1.4

SC075254
-

Trust Yourself



Back
-
up the installed versions of the cacerts.jks and the domain.xml in the
C:
\
GlassFishESB
\
glassfish
\
domains
\
domain1
\
config directory



Copy cacerts.jks to a work directory whe
re the certificate set
-
up will be performed



Create the internal keystore

o

keytool
-
genkey
-
keyalg RSA
-
keysize 1024
-
keystore internal.jks
-
keypass changeit
-
storepass changeit
-
validity 365
-
alias internal
-
dname
"cn=SC075254.cs.myharris.net"



Export the c
ertificate

o

keytool
-
export
-
rfc
-
alias internal
-
file SC075254.cer
-
keystore internal.jks
-
keypass changeit
-
storepass changeit



Import the "self" certificate into the truststore

o

keytool
-
import
-
v
-
trustcacerts
-
alias SC075254
-
file SC075254.cer
-
keystor
e cacerts.jks

A.1.5

Interchange
-

Trust the other guy



Copy the SC065633.cer over to the work area of SC075254



Import this trusted certificate into the truststore

o

keytool
-
import
-
v
-
trustcacerts
-
alias SC065633
-
file SC065633.cer
-
keystore cacerts.jks



Copy the SC075254.cer over to the work area of SC065633



Import this trusted certificate into the truststore

o

keytool
-
import
-
v
-
trustcacerts
-
alias SC075254
-
file SC075254.cer
-
keystore cacerts.jks

CONNECT_
FIPS
_
Manual

A
-
4

Release 3.0

6/15/10


A.1.6

Install the New Keystore and Truststore to Glassfis
h (on each SC065633
and SC075254)



Make sure Glassfish is stopped



Copy internal.jks and cacerts.jks from the work area over to
C:
\
GlassFishESB
\
glassfish
\
domains
\
domain1
\
config



Edit domain.xml to use the development certificates

o

Find and replace
-

"s1as" to

"internal"

o

Indicate to use the internal.jks keystore

o

Set up both key aliases to use the internal certificate

o


<!
--

Certificate configuration
--
>

o


<jvm
-
options>
-
Dcom.sun.jbi.httpbc.enableClientAuth=
true
</jvm
-
options>

o


<jvm
-
options>
-
Dcom.sun.enterprise.security.httpsOutboundKeyAlias=internal</jvm
-
options>

o


<jvm
-
options>
-
Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/internal.jks</
jvm
-
options>

o


<jvm
-
options>
-
Djavax.net.ssl.keyStorePassword=changeit</jvm
-
optio
ns>

o


<jvm
-
options>
-
Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks<
/jvm
-
options>

o


<jvm
-
options>
-
Djavax.net.ssl.trustStorePassword=changeit</jvm
-
options>

o


<jvm
-
options>
-
DSERVER_KEY_ALIAS=internal</jvm
-
options>

o



<jvm
-
options>
-
DCLIENT_KEY_ALIAS=internal</jvm
-
options>

A.1.7

NSS

If running in the Enterprise profile of Glassfish or if there is a need for FIPS compliant
stores these certificates will need to reside in NSS stores. See section 6.0 of this
documen
t.