At line 42 changed one line |
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss |
On Debian/Ubuntu the NSS libraries are located at /usr/lib/x86_64-linux-gnu/nss. It may be different on various versions of same operating system, best to locate the "libnss3.so" kernal module , the "nssLibraryDirectory" path has to point to it's parent directory. |
At line 58 added 5 lines |
If you have a JKS keystore, convert it first to a p12 formatted keystore. |
{{{ |
/var/opt/CrushFTP9/Java/bin/keytool -importkeystore -srckeystore intranet_local.jks -destkeystore intranet_local.p12 -srcstoretype JKS -deststoretype PKCS12 |
}}} |
|
At line 81 added 6 lines |
|
For Java 11+: |
{{{ |
vi /var/opt/CrushFTP9/Java/conf/security/java.security |
}}} |
|
At line 80 changed one line |
edit the crypto provider list to be: |
For Java 8, edit the crypto provider list to be: |
At line 107 added 6 lines |
For Java 11+, add these at the end, replacing the #12 item with this one, plus add #13: |
{{{ |
security.provider.12=SunPKCS11 /var/opt/nss/nss_pkcsll_fips.cfg |
security.provider.13=SunPKCS11-NSScrypto |
}}} |
|
At line 98 changed one line |
First, we need to switch over to the FIPS compliant Java environment, for that edit the init script , modify the $JAVA local environment variable to point to the new Java main binary |
Edit the main server config file prefs.XML |
At line 100 changed one line |
vi /var/opt/CrushFTP8_PC/crushftp_init.sh |
vi /var/opt/CrushFTP9/prefs.XML |
At line 102 removed 13 lines |
find the line |
{{{ |
JAVA="java" |
}}} |
comment it out then add in place |
{{{ |
JAVA="/var/opt/java8-fips/bin/java" |
}}} |
then edit the main server config file prefs.XML |
{{{ |
vi /var/opt/CrushFTP8_PC/prefs.XML |
}}} |
, locate and set the |
At line 116 changed 6 lines |
{{{<fips140>false</fips140>}}} |
key value to |
{{{true}}} |
After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page |
enter into the "Keystore Location" field the "PKCS11" literal (without the quotes), supply the PKCS11 token password, if any set in Step 2. |
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.\\ |
Find the "fips140" and ""fips140_sftp_client" and "fips140_sftp_server" flag and change them from false to true. The plain "fips140" applies to SSL things like FTPS/FTPES/HTTPS. The others apply to SFTP client and server items. See bottom of this guide for more SFTP items that must be done.\\ |
|
After this step, before restarting the service, log in into the Webinterface as the main admin, navigate to Preferences->Encryption->SSL page, and enter into the "Keystore Location" field the "PKCS11" literal value (without the quotes). Enter the PKCS11 token password, if any set in Step 2.\\ |
In both "TlS versions" fields leave only "TLSv1.2". Save.\\ |
If this is Java 13, you can force "TLSv1.3" in both instead. Save. (TLSv1.3 only works starting in Java 13+.)\\ |
At line 129 changed 2 lines |
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant |
cyphers. |
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant ciphers.\\ |
At line 133 changed one line |
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for adminstration. In case the java.security config file has syntax errors, the Crush service may not come on line at all. |
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for administration. In case the java.security config file has syntax errors, the Crush service may not come on line at all. \\ |
---- |
Running in FIPS mode has a few drawbacks:\\ |
At line 135 changed 3 lines |
Running in FIPS mode has a few drawbacks: |
|
* online updates won't work, for our update repo server is not running in FIPS compliant mode, can only use the manual update method ( from file)\\ |
* online updates won't work, since our server is not running in FIPS compliant mode, can only use the manual update method ( from file)\\ |
At line 140 changed one line |
* some web browsers may not work with the FIPS compliant cypher set\\ |
* some web browsers may not work with the FIPS compliant cipher set\\ |
At line 144 added 2 lines |
---- |
!!Known issues: |
At line 147 added one line |
* later builds of Oracle Jre/JDK 8 have a bug , require the presence of secmod.db in the NSS DB folder, have to create a dummy file manually |
At line 149 added 29 lines |
{{{ |
touch /var/opt/nss/crush-nssdb/secmod.db |
}}} |
|
then add to crushftp_init.sh , before launching the Jvm (the beginning of the script will do) |
|
{{{ |
export NSS_DEFAULT_DB_TYPE=sql |
}}} |
|
---- |
!!SFTP FIPS additional work |
To get FIPS modules for SFTP, you need the BouncyCastle libraries added to the plugins/lib folder of CrushFTP.\\ |
[https://www.bouncycastle.org/fips_faq.html]\\ |
These are files like: |
{{{ |
bc-fips-1.0.2.jar |
bcmail-fips-1.0.1.jar |
bcpg-fips-1.0.3.jar |
bcpkix-fips-1.0.3.jar |
bcpqc-addon-fips-1.0.0.jar |
bctls-fips-1.0.9.jar |
}}} |
The SFTP port will *only* enable FIPS compatible algorithms when the port starts, and it will fail if these jars aren't there and it is unable to do so. You can no longer control your KEX and such as its locked down to the FIPS enabled items only, no controls for the server admin. |
|
{{{ |
KEX: diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 |
KEY FORMATS: ecdsa-sha2-nistp256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 |
}}} |