Bug 957026 - [Doc Bug Fix] Info how to enable FIPS in Apache HTTPd server is missing
Summary: [Doc Bug Fix] Info how to enable FIPS in Apache HTTPd server is missing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER8
: EAP 6.3.0
Assignee: Nidhi
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On: 957014
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-26 08:13 UTC by Pavel Janousek
Modified: 2015-02-20 10:22 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Instance Name: Not Defined Build: CSProcessor Builder Version 1.8 Build Name: 11865, Administration and Configuration Guide-6.1-3 Build Date: 19-04-2013 15:35:25
Last Closed: 2014-08-06 14:39:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1086412 0 unspecified CLOSED SSLFIPS option does not operate the same as RHEL httpd 2021-02-22 00:41:40 UTC

Internal Links: 1086412

Description Pavel Janousek 2013-04-26 08:13:06 UTC 
Title: Enable FIPS 140-2 Cryptography for SSL on Red Hat Enterprise Linux 6

Describe the issue:
In this chapter is described info how to enable FIPS in HTTPs WebConnector etc., but even I'd proceeded these steps, and after I've tried to start Apache HTTPd server in error_log I can see "SSL FIPS mode disabled", so obviously, there is some missing part for enabling FIPS in Apache HTTPd.

Suggestions for improvement:
Add description how to enable FIPS in Pache HTTPd server.
Comment 8 Pavel Janousek 2014-05-23 10:08:28 UTC 
FIPS is supported in EAP, so it should be documented how to enable/configure it.

However it seems it is broken now (see BZ#1086412).
Comment 10 Pavel Janousek 2014-06-19 11:58:25 UTC 
Hi Nidhi,

I don't test these features, so I can't answer this question by myself.

I'm forwarding your questions to our security expert Josef.

@Josef
Could you take a looks and answer the question from Nidhi's comment 9 please?
Comment 11 Josef Cacek 2014-06-23 11:08:34 UTC 
Sorry, I don't have experiences with natives in this area.

Michal, do you have some answers/advices?
Comment 12 Michal Karm Babacek 2014-06-24 09:29:10 UTC 
Hi Josef, Nidhi, Pavel,

Regarding documentation (relevant to this bugzilla)
-----------------------

the FIPS regime is enabled by adding

    SSLFIPS on

directive to the Apache HTTP Server configuration, e.g. to ssl.conf or httpd.conf (must be outside VirtualHost configuration).

The result in the Apache HTTP Server error_log:

    [notice] Operating in SSL FIPS mode

(verified with EAP 6.3.0.ER7 Apache HTTP Server zip distribution)


Regarding some FIPS related bugs (not relevant for this bugzilla)
--------------------------------

I have the same problem on RHEL7 as it's described here [1], i.e.
[error] SSL Library Error: 755449965 error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length
I'll take a look at it and eventually clone the bugzilla. I might have an old RHEL7 instance... 

On RHEL6, it works just fine for me.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1071292
Comment 13 Michal Karm Babacek 2014-06-24 09:31:04 UTC 
I don't know whether we could assume it being obvious, but one has to have FIPS capable OpenSSL installed....
Comment 16 Michal Karm Babacek 2014-06-26 10:40:40 UTC 
Thanks for the update.
There is a small bug:

    Apache HTTP server configuration files: httpd.conf and ssl.conf. 

should be rather something like:

    Apache HTTP server configuration file: httpd.conf or ssl.conf. 

Explanation:

It actually does not matter where it is. To have it in _both_ files is wrong though. IMHO ssl.conf would actually be a good practice for this directive.
Comment 19 Michal Karm Babacek 2014-07-04 07:31:06 UTC 
Looks good to me.
Note You need to log in before you can comment on or make changes to this bug.