Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
Fips.png 442.4 kB 1 05-Dec-2023 05:32 Halmágyi Árpád

This page (revision-13) was last changed on 05-Dec-2023 05:32 by Ben Spink

This page was created on 05-Dec-2023 05:32 by Halmágyi Árpád

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
This will guide will cover 64 bit Linux installation only.
This guide will cover 64 bit Linux installation only.
At line 3 changed one line
1.) First update the repo cache, then install the NSS package on the host
!!1.) First update the repo cache, then install the NSS package on the host
At line 6 added one line
{{{
At line 9 added one line
}}}
At line 12 added one line
{{{
At line 15 added one line
}}}
At line 13 changed one line
2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token
!!2.) Create the FIPS-140 compliant PKCS-11 cryto provider and security token
At line 17 changed one line
{{{
At line 24 added one line
}}}
At line 22 changed one line
{{{
At line 24 changed one line
}}}
At line 26 changed one line
{{{
At line 28 changed one line
}}}
At line 30 changed one line
{{{
At line 40 added one line
}}}
At line 36 changed one line
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss. It may be different on various versions of same operating system, best to locate the "libnss3.so" kernal module , the "nssLibraryDirectory" path has to point to it's parent directory.
At line 39 changed one line
{{{
At line 41 changed one line
}}}
At line 45 changed one line
{{{
At line 47 changed one line
}}}
At line 50 changed one line
3.) Import or issue FIPS-140 compliant certificate
!!3.) Import or issue FIPS-140 compliant certificate
At line 52 changed one line
Certutil allows any regular PKI operations to generate key pair and issue certs, import, etc. By this example will just import from a PKCS12 cert store, most real life-like scenario, for an existing cert
If you have a JKS keystore, convert it first to a p12 formatted keystore.
{{{
/var/opt/CrushFTP10/Java/bin/keytool -importkeystore -srckeystore intranet_local.jks -destkeystore intranet_local.p12 -srcstoretype JKS -deststoretype PKCS12
}}}
At line 63 added 2 lines
Certutil allows any regular PKI operations to generate key pair and issue certs, import, etc. By this example will just import from a PKCS12 cert store, most real life-like scenario, for an existing cert
{{{
At line 55 changed one line
}}}
At line 59 changed one line
{{{
At line 73 added one line
}}}
At line 63 changed one line
4.) Configure Java crypto bridge for FIPS-140 mode
!!4.) Configure Java crypto bridge for FIPS-140 mode
At line 66 changed one line
{{{
At line 80 added one line
}}}
At line 69 changed one line
Find this line
For Java 11+:
{{{
vi /var/opt/CrushFTP10/Java/conf/security/java.security
}}}
At line 87 added 2 lines
Find this line
{{{
At line 90 added 2 lines
}}}
For Java 8, edit the crypto provider list to be:
At line 73 changed 2 lines
edit the crypto provider list to be:
{{{
At line 105 added one line
}}}
At line 107 added 5 lines
For Java 11+, add these at the end, replacing the #12 item with this one, plus add #13:
{{{
security.provider.12=SunPKCS11 /var/opt/nss/nss_pkcsll_fips.cfg
security.provider.13=SunPKCS11-NSScrypto
}}}
At line 88 changed one line
5.) Configure Crush
!!5.) Configure Crush
At line 90 changed one line
First, we need to switch over to the FIPS compliant Java environment, for that edit the init script , modify the $JAVA local environment variable to point to the new Java main binary
Edit the main server config file prefs.XML
{{{
vi /var/opt/CrushFTP10/prefs.XML
}}}
At line 92 changed one line
vi /var/opt/CrushFTP8_PC/crushftp_init.sh
Find the "fips140" and ""fips140_sftp_client" and "fips140_sftp_server" flag and change them from false to true. The plain "fips140" applies to SSL things like FTPS/FTPES/HTTPS. The others apply to SFTP client and server items. See bottom of this guide for more SFTP items that must be done.\\
At line 94 changed one line
find the line
After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page, and enter into the "Keystore Location" field the "PKCS11" literal value (without the quotes). Enter the PKCS11 token password, if any set in Step 2.\\
In both "TlS versions" fields leave only "TLSv1.2". Save.\\
If this is Java 13, you can force "TLSv1.3" in both instead. Save. (TLSv1.3 only works starting in Java 13+.)\\
\\
[attachments|Fips.png]\\
\\
Restart the Crush service afterwards
{{{
systemctl restart crushftp
}}}
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant ciphers.\\
At line 96 removed one line
JAVA="java"
At line 98 changed one line
comment it out then add in place
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for administration. In case the java.security config file has syntax errors, the Crush service may not come on line at all. \\
----
Running in FIPS mode has a few drawbacks:\\
At line 100 changed one line
JAVA="/var/opt/java8-fips/bin/java"
* online updates won't work, since our server is not running in FIPS compliant mode, can only use the manual update method ( from file)\\
* server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask.\\
* ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine\\
* some web browsers may not work with the FIPS compliant cipher set\\
* SSL cypher strength assessment will never give the server "A" or close rating, for a few of the FIPS compliant cyphers are "B"-rated, or lower.\\
----
!!Known issues:
At line 102 changed 3 lines
then edit the main server config file prefs.XML , set the <fips140>false</fips140> key value to "true". After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page
enter into the "Keystore Location" field the "PKCS11" literal (without the quotes), supply the PKCS11 token password, if any set in Step 2.
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.
* later builds of Oracle Jre/JDK 8 have a bug , require the presence of secmod.db in the NSS DB folder, have to create a dummy file manually
At line 106 changed one line
<screencap image placeholder [1] >
{{{
touch /var/opt/nss/crush-nssdb/secmod.db
}}}
At line 108 changed one line
Restart the Crush service afterwards
then add to crushftp_init.sh , before launching the Jvm (the beginning of the script will do)
At line 110 changed one line
systemctl restart crushftp
{{{
export NSS_DEFAULT_DB_TYPE=sql
}}}
At line 112 changed 2 lines
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant
cyphers.
----
!!SFTP FIPS additional work
To get FIPS modules for SFTP, you need the BouncyCastle libraries added to the plugins/lib folder of CrushFTP.\\
[https://www.bouncycastle.org/fips_faq.html]\\
These are files like:
{{{
bc-fips-1.0.2.jar
bcmail-fips-1.0.1.jar
bcpg-fips-1.0.3.jar
bcpkix-fips-1.0.3.jar
bcpqc-addon-fips-1.0.0.jar
bctls-fips-1.0.9.jar
}}}
The SFTP port will *only* enable FIPS compatible algorithms when the port starts, and it will fail if these jars aren't there and it is unable to do so. You can no longer control your KEX and such as its locked down to the FIPS enabled items only, no controls for the server admin.
At line 115 changed 13 lines
<screencap image placeholder [2] >
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for adminstration. In case the java.security config file has syntax errors, the Crush service may not come on line at all.
Running in FIPS mode has a few drawbacks:
- online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file)
- server to server connections against a non-FIPS compliant server won't work either, when using VFS proxy or CrushTask.
- ldaps:// connections for the SAML or LDAP Group plugin don't work as well unless the directory controller is also set to FIPS mode, the trusted cert needs to be imported into the PKCS11 trust store; plain ldap:// will work just fine
- some web browsers may not work with the FIPS compliant cypher set
- SSL cypher strength assessment will never give the server "A" or close rating, for many of the FIPS compliant cyphers are "B"-rated, or lower.
[attachments|Fips.png]
{{{
KEX: diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
KEY FORMATS: ecdsa-sha2-nistp256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
}}}
Version Date Modified Size Author Changes ... Change note
13 05-Dec-2023 05:32 7.856 kB Ben Spink to previous
12 05-Dec-2023 05:32 7.853 kB Ben Spink to previous | to last
11 05-Dec-2023 05:32 7.777 kB Ben Spink to previous | to last
10 05-Dec-2023 05:32 6.741 kB Ben Spink to previous | to last
9 05-Dec-2023 05:32 6.598 kB Ben Spink to previous | to last
8 05-Dec-2023 05:32 6.53 kB Ben Spink to previous | to last
7 05-Dec-2023 05:32 6.553 kB Ada Csaba to previous | to last
6 05-Dec-2023 05:32 6.251 kB Ada Csaba to previous | to last
5 05-Dec-2023 05:32 5.913 kB Ada Csaba to previous | to last
4 05-Dec-2023 05:32 5.893 kB Ada Csaba to previous | to last
3 05-Dec-2023 05:32 5.728 kB Ada Csaba to previous | to last FIPS ==> FIPS-140-2 Compliant Mode
2 05-Dec-2023 05:32 5.728 kB Ada Csaba to previous | to last
1 05-Dec-2023 05:32 5.581 kB Halmágyi Árpád to last
« This page (revision-13) was last changed on 05-Dec-2023 05:32 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki