The following documentation topic walks through the steps required to enable Tomcat FIPs mode.

Enable FIPS Mode in Tomcat

Notes and tips:

• Only supported for Linux. The required Linux based tomcat-native package is not available as a pre-built package on Windows.
• Requires editing of the tomcat server.xml file. Be sure to back up the file before making changes.
• The tomcat web server services must be stopped and restarted for the FIPS enabled mode changes to be recognized.
  • Restart OneClick Tomcat as follows:
    • cd $SPECROOT/tomcat/bin
  • Stop with:
    • ./stopTomcat.sh
  • Ensure all processes shut down before starting. Use this to check:
    • ps -ef | grep tomcat
  • Start with:
    • ./startTomcat.sh
• The tomcat catalina.out log will show the following messages when tomcat FIPs mode is enabled successfully.

  • 13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.23] using APR version [1.6.3].
    13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
    13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
    13-Jul-2021 17:48:28.414 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
    13-Jul-2021 17:48:28.427 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode
    13-Jul-2021 17:48:28.427 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1g FIPS  21 Apr 2020]
    13-Jul-2021 17:48:28.647 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]