Thursday, September 7, 2017

FIPS-compliant Credential Stores

What is FIPS? FIPS is a U.S. government computer security standard used to approve cryptographic modules [wikipedia].
Was WildFly evaluated for FIPS? No, we are just giving users opportunity to configure and operate Credential Store in compliant way.


Configuration

To setup Credential Store in FIPS compliant way we need FIPS compliant key store first. This will be used to hold and encryption key and Credential Store implementation will use it to encrypt/decrypt data needed to restore credentials from the storage file.

FIPS 140-2 compliant key store

There are several possibilities to get FIPS compliant key store, this is just on them.
I will use Sun PKCS#11 provider accessing NSS DB. More details lookup here.
Modify $JAVA_HOME/jre/lib/security/java.security file to have the provider on the first position:
security.provider.1=sun.security.pkcs11.SunPKCS11 /opt/ora/jdk1.8.0_fips/jre/lib/security/nss_pkcs11_fips.cfg
Move all the other providers down one position.

Content of nss_pkcs11_fips.cfg file is following:
name = testPkcs
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /home/pskopek/fipsdb
nssDbMode = readWrite
nssModule = fips

Note the nssSecmodDirectory option which points to nssDb directory. You might want to have it elsewhere. Note the name option too.

We need to modify $JAVA_HOME/jre/lib/security/java.security provider called com.sun.net.ssl.internal.ssl.Provider to use the PKCS#11 key store we are configuring right now. (it is not necessary but might help later when one will try to configure https/ssl).
Resulting row should look like:
security.provider.5=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-testPkcs

Next step is to initialize NSS DB:
mkdir fipsdb
modutil -force -dbdir fipsdb -create
modutil -force -dbdir fipsdb -fips true
modutil -force -dbdir fipsdb -changepw "NSS FIPS 140-2 Certificate DB"

Just remember to set password "pass123+" as we use it in this example.
Make sure that "fipdb" directory is actually the same like the one referenced by nssSecmodDirectory in nss_pkcs11_fips.cfg configuration file above.

Well that's almost done. We just need to create our secret key to be used later in Credential Store.
We can use Java keytool for the job:
keytool -keystore NONE -storetype PKCS11 -storepass pass123+ -genseckey -alias cskey -keyalg AES -keysize 256
Just be sure you are using the same JRE with java.security file you have already modified.

Credential Store

CLI command to create credential store named "fips".
/subsystem=elytron/credential-store=fips:add(modifiable=true, location=data.store, relative-to=jboss.server.data.dir, implementation-properties={"keyStoreType"=>"PKCS11","external"=>"true","keyAlias"=>"cskey"},credential-reference={clear-text="pass123+"}, create=true)

We can add some alias to see if it works:
/subsystem=elytron/credential-store=fips:add-alias(alias="myfipsalias", secret-value="supersecret")

Her comes the check:
/subsystem=elytron/credential-store=fips:read-aliases()



1 comment:

  1. I'd like to add more information, as it pertains to JBoss 7.4. This is poorly documented, but direct from the red hat helpdesk.

    Query :

    Is there a way of using a credential store with a different Algorithm?
    Or is there a way of creating a credential store that is an PKCS11 NSSDB?

    Answer :

    You can add the line : implementation-properties={keyStoreType=PKCS11}

    So the command to create PKCS11 keystore becomes :

    /opt/jboss-eap/bin/jboss-cli.sh --connect --commands="/subsystem=elytron/credential-store=credential-store:add(location=../credential-stores/credential-store.pfx, relative-to=jboss.server.data.dir,implementation-properties={"keyStoreType"=>"PKCS11","keyAlias"=>""},credential-reference={clear-text=credential-store-pw},create=true)"

    Query:

    Can I use the SAME NSSDB that I'm using as a certificate store, or should I create a separate one?

    Answer:

    If you run the command :

    modutil -list -dbdir

    it should list PKCS #11 Modules, if it lists the PKCS #11 Modules , then there is no need to create a separate one .

    You your get the db dir from : nss.fips.cfg file which is in /conf/security .Inside the file search for the value for the key : nssSecmodDirectory , that's the db directory.

    ReplyDelete