Bug 957026

Summary: [Doc Bug Fix] Info how to enable FIPS in Apache HTTPd server is missing
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Pavel Janousek <pjanouse>
Component: DocumentationAssignee: Nidhi <nsriniva>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Karm Babacek <mbabacek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: jcacek, mbabacek, nsriniva, smumford, twells
Target Milestone: ER8Keywords: Documentation
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Instance Name: Not Defined Build: CSProcessor Builder Version 1.8 Build Name: 11865, Administration and Configuration Guide-6.1-3 Build Date: 19-04-2013 15:35:25
Last Closed: 2014-08-06 14:39:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 957014    
Bug Blocks:    

Description Pavel Janousek 2013-04-26 08:13:06 UTC 
Title: Enable FIPS 140-2 Cryptography for SSL on Red Hat Enterprise Linux 6

Describe the issue:
In this chapter is described info how to enable FIPS in HTTPs WebConnector etc., but even I'd proceeded these steps, and after I've tried to start Apache HTTPd server in error_log I can see "SSL FIPS mode disabled", so obviously, there is some missing part for enabling FIPS in Apache HTTPd.

Suggestions for improvement:
Add description how to enable FIPS in Pache HTTPd server.
Comment 8 Pavel Janousek 2014-05-23 10:08:28 UTC 
FIPS is supported in EAP, so it should be documented how to enable/configure it.

However it seems it is broken now (see BZ#1086412).
Comment 10 Pavel Janousek 2014-06-19 11:58:25 UTC 
Hi Nidhi,

I don't test these features, so I can't answer this question by myself.

I'm forwarding your questions to our security expert Josef.

@Josef
Could you take a looks and answer the question from Nidhi's comment 9 please?
Comment 11 Josef Cacek 2014-06-23 11:08:34 UTC 
Sorry, I don't have experiences with natives in this area.

Michal, do you have some answers/advices?
Comment 12 Michal Karm Babacek 2014-06-24 09:29:10 UTC 
Hi Josef, Nidhi, Pavel,

Regarding documentation (relevant to this bugzilla)
-----------------------

the FIPS regime is enabled by adding

    SSLFIPS on

directive to the Apache HTTP Server configuration, e.g. to ssl.conf or httpd.conf (must be outside VirtualHost configuration).

The result in the Apache HTTP Server error_log:

    [notice] Operating in SSL FIPS mode

(verified with EAP 6.3.0.ER7 Apache HTTP Server zip distribution)


Regarding some FIPS related bugs (not relevant for this bugzilla)
--------------------------------

I have the same problem on RHEL7 as it's described here [1], i.e.
[error] SSL Library Error: 755449965 error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length
I'll take a look at it and eventually clone the bugzilla. I might have an old RHEL7 instance... 

On RHEL6, it works just fine for me.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1071292
Comment 13 Michal Karm Babacek 2014-06-24 09:31:04 UTC 
I don't know whether we could assume it being obvious, but one has to have FIPS capable OpenSSL installed....
Comment 16 Michal Karm Babacek 2014-06-26 10:40:40 UTC 
Thanks for the update.
There is a small bug:

    Apache HTTP server configuration files: httpd.conf and ssl.conf. 

should be rather something like:

    Apache HTTP server configuration file: httpd.conf or ssl.conf. 

Explanation:

It actually does not matter where it is. To have it in _both_ files is wrong though. IMHO ssl.conf would actually be a good practice for this directive.
Comment 19 Michal Karm Babacek 2014-07-04 07:31:06 UTC 
Looks good to me.