After upgrading DX NetOps Spectrum OneClick we are unable to enable FIPS Mode for tomcat
search cancel

After upgrading DX NetOps Spectrum OneClick we are unable to enable FIPS Mode for tomcat

book

Article ID: 418852

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

Unable to access the OneClick administration web site, and unable to access the OC WebApp UI after upgrading to 25.4.8.

We're seeing the following error in the $SPECROOT/tomcat/logs/catalina.out log file.

2025-11-17 14:39:49,140 [main] INFO  org.apache.catalina.core.AprLifecycleListener - Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.0].
2025-11-17 14:39:49,141 [main] INFO  org.apache.catalina.core.AprLifecycleListener - APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
 random [true], UDS [true].
2025-11-17 14:39:49,141 [main] INFO  org.apache.catalina.core.AprLifecycleListener - APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
2025-11-17 14:39:49,157 [main] ERROR org.apache.catalina.core.AprLifecycleListener - Failed to initialize the SSLEngine.
java.lang.IllegalStateException: The FIPS provider must be configured as the default provider when the AprLifecycleListener is configured with FIPS mode [on
]
        at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:332) ~[catalina.jar:9.0.107]
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:150) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
2025-11-17 14:39:49,161 [main] FATAL org.apache.catalina.core.AprLifecycleListener - Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:160) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
2025-11-17 14:39:49,162 [main] ERROR org.apache.catalina.startup.Catalina - Error initializing Catalina
org.apache.catalina.LifecycleException: Failed to initialize component [StandardServer[-1]]
        at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:406) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:125) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
Caused by: java.lang.Error: Failed to enter FIPS mode
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:160) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        ... 8 more

Cause

This is caused by the updated Tomcat version in the later releases.

Resolution

Please follow the steps in the Enable FIPS Mode in Tomcat to resolve this in 25.4.6 and newer releases.

  1. Install the required packages per the documentation.
  2. Edit the $SPECROOT/tomcat/conf/server.xml file.
    1. Find the following entry:
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="off"></Listener>

    2. Edit it setting FIPSMode="off" to "on".

    3. Save the changes.

  3. In 25.4.6 and newer releases the only catalina.sh edits required are commenting out the following two variables. Open and edit the file to active these removing the "#" from the front of each and saving the changes.
    1. export OPENSSL_CONF=$SPECROOT/tomcat/bin/ossl-modules/openssl_fips.cnf
export OPENSSL_MODULES=$SPECROOT/tomcat/bin/ossl-modules

 

For 25.4.5 and earlier releases 

  1. Install the required packages per the documentation.
  2. Edit the $SPECROOT/tomcat/conf/server.xml file.
    1. Find the following entry:
      <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="off"></Listener>

    2. Edit it setting FIPSMode="off" to "on".

    3. Save the changes.

  3. Create the required openssl_fips.cnf file per documentation. Save it in the $SPECROOT directory.
  4. Edit the $SPECROOT/tomcat/conf/server.xml file.
    1. Add the documented OPENSSL_CONF variable after line 153.
    2. Ensure the directory specified matches your $SPECROOT home directory.

 

When all steps are completed, for any release, restart Tomcat to have the new configuration read into the system.

 

If configured correctly we should see the following messages show up during start up in the tomcat log file. Linux is catalina.out. Windows is stdout.log.

2025-11-23 10:33:35,086 [main] INFO  org.apache.catalina.core.AprLifecycleListener - Using OpenSSL with the FIPS provider as the default provider
2025-11-23 10:33:35,086 [main] INFO  org.apache.catalina.core.AprLifecycleListener - OpenSSL successfully initialized [OpenSSL 3.0.16 11 Feb 2025]

 

Additional Information

To disable the FIPS configuration simply set the FIPSMode flag in the server.xml from "on" to "off". Restart tomcat to set the changes.

Powered by Wolken Software