How to Configure Tomcat and Enable FIPS Mode (Linux)
search cancel

How to Configure Tomcat and Enable FIPS Mode (Linux)


Article ID: 219583


Updated On:


CA Spectrum


For secure sites, tomcat servers are required to have FIPs mode enabled

Tomcat must use FIPS-validated ciphers on secured connectors. (

Finding ID Version Rule ID IA Controls Severity
V-222968 TCAT-AS-000750 SV-222968r615938_rule   High


Release : 20.2

Component : Spectrum OneClick


The tomcat STIG cases will be evaluated for feasibility in the Q4CY21 NetOps release.

In the meantime provided manual steps to enable FIPs mode on tomcat. This will require the tomcat-native package to be installed and a config change

1) Requires tomcat-native package to be installed

This will require the tomcat-native OS package to be installed

yum list tomcat-native
Last metadata expiration check: 20:06:57 ago on Tue 13 Jul 2021 08:00:40 PM UTC.
Installed Packages
tomcat-native.x86_64                       1.2.23-1.el8                    @epel

2) Need to add AprLifecycleListener to the server.xml with FIPs Mode on

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on"></Listener>


3) Restart OneClick Tomcat
     cd $SPECROOT/tomcat/bin

The tomcat catalina.out log will show if FIPs mode is enabled

13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.23] using APR version [1.6.3].
13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Jul-2021 17:48:28.412 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
13-Jul-2021 17:48:28.414 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing FIPS mode...
13-Jul-2021 17:48:28.427 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully entered FIPS mode
13-Jul-2021 17:48:28.427 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1g FIPS  21 Apr 2020]
13-Jul-2021 17:48:28.647 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]

Additional Information

Note: The tomcat-native package is not available as a pre-built package on Windows. One would need to manually build this package in order to enable FIPS mode on Windows.