View Attach (1) Info

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
 Fips.png 442.4 kB 1 25-Oct-2018 04:31 Halmágyi Árpád

This page (revision-12) was last changed on 16-May-2020 02:14 by Ben Spink

This page was created on 25-Oct-2018 04:31 by Halmágyi Árpád

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 58 added 5 lines
If you have a JKS keystore, convert it first to a p12 formatted keystore.
{{{
/var/opt/CrushFTP9/Java/bin/keytool -importkeystore -srckeystore intranet_local.jks -destkeystore intranet_local.p12 -srcstoretype JKS -deststoretype PKCS12
}}}
At line 81 added 6 lines
For Java 11+:
{{{
vi /var/opt/CrushFTP9/Java/conf/security/java.security
}}}
At line 80 changed one line
edit the crypto provider list to be:
For Java 8, edit the crypto provider list to be:
At line 107 added 6 lines
For Java 11+, add these at the end, replacing the #12 item with this one, plus add #13:
{{{
security.provider.12=SunPKCS11 /var/opt/nss/nss_pkcsll_fips.cfg
security.provider.13=SunPKCS11-NSScrypto
}}}
At line 98 changed one line
First, we need to switch over to the FIPS compliant Java environment, for that edit the init script , modify the $JAVA local environment variable to point to the new Java main binary
Edit the main server config file prefs.XML
At line 100 changed one line
vi /var/opt/CrushFTP8_PC/crushftp_init.sh
vi /var/opt/CrushFTP9/prefs.XML
At line 102 removed 13 lines
find the line
{{{
JAVA="java"
}}}
comment it out then add in place
{{{
JAVA="/var/opt/java8-fips/bin/java"
}}}
then edit the main server config file prefs.XML
{{{
vi /var/opt/CrushFTP8_PC/prefs.XML
}}}
, locate and set the
At line 116 changed 3 lines
{{{<fips140>false</fips140>}}}
key value to
{{{true}}}
locate and set the fips140 and change it from false to true. Same for fips140_sftp_client value.
At line 121 changed one line
In both "Tls versions" fields leave only "TLSv1,TLSv1.1" , save.\\
In both "TlS versions" fields leave only "TLSv1.2". Save.\\
If this is Java 13, you can force "TLSv1.3" in both. Save.\\
At line 129 changed 2 lines
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant
cyphers.
Normally, all SSL ports should come on line after this step ( HTTPS, FTPES, FTPS ), can test with a client application. SSL cypher assessment should reveal now only FIPS-140-2 compliant ciphers.
At line 133 changed one line
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for adminstration. In case the java.security config file has syntax errors, the Crush service may not come on line at all.
Warning: At this point the HTTPS port may go offline, if token password was incorrect, or the PKCS11 token bad, etc., make sure there is an plain HTTP port available for administration. In case the java.security config file has syntax errors, the Crush service may not come on line at all.
At line 140 changed one line
* some web browsers may not work with the FIPS compliant cypher set\\
* some web browsers may not work with the FIPS compliant cipher set\\
At line 157 removed 6 lines
* apparently Java 13 is missing the FIPS module
* works with Java 11 , the security config file is located in javadir/conf/security/java.security needs editing the line with PKCS11 compliant provider like
{{{
security.provider.12=SunPKCS11 /var/opt/nss/nss_pkcs11_fips.cfg
}}}
Version Date Modified Size Author Changes ... Change note
12 16-May-2020 02:14 7.853 kB Ben Spink to previous
11 16-May-2020 02:12 7.777 kB Ben Spink to previous | to last
10 27-Mar-2020 13:18 6.741 kB Ben Spink to previous | to last
9 27-Mar-2020 05:26 6.598 kB Ben Spink to previous | to last
8 27-Mar-2020 05:17 6.53 kB Ben Spink to previous | to last
7 26-Mar-2020 18:15 6.553 kB Ada Csaba to previous | to last
6 26-Mar-2020 18:11 6.251 kB Ada Csaba to previous | to last
5 25-Oct-2018 04:31 5.913 kB Ada Csaba to previous | to last
4 25-Oct-2018 04:31 5.893 kB Ada Csaba to previous | to last
3 25-Oct-2018 04:31 5.728 kB Ada Csaba to previous | to last FIPS ==> FIPS-140-2 Compliant Mode
2 25-Oct-2018 04:31 5.728 kB Ada Csaba to previous | to last
1 25-Oct-2018 04:31 5.581 kB Halmágyi Árpád to last
« This page (revision-12) was last changed on 16-May-2020 02:14 by Ben Spink
G’day (anonymous guest)
CrushFTP9 | What's New

Referenced by
LeftMenu

JSPWiki