After upgrading DX NetOps Spectrum to 25.4.2 we are unable to enable FIPS Mode for tomcat
search cancel

After upgrading DX NetOps Spectrum to 25.4.2 we are unable to enable FIPS Mode for tomcat

book

Article ID: 418852

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

2025-11-17 14:39:49,140 [main] INFO  org.apache.catalina.core.AprLifecycleListener - Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.0].
2025-11-17 14:39:49,141 [main] INFO  org.apache.catalina.core.AprLifecycleListener - APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
 random [true], UDS [true].
2025-11-17 14:39:49,141 [main] INFO  org.apache.catalina.core.AprLifecycleListener - APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
2025-11-17 14:39:49,157 [main] ERROR org.apache.catalina.core.AprLifecycleListener - Failed to initialize the SSLEngine.
java.lang.IllegalStateException: The FIPS provider must be configured as the default provider when the AprLifecycleListener is configured with FIPS mode [on
]
        at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:332) ~[catalina.jar:9.0.107]
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:150) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
2025-11-17 14:39:49,161 [main] FATAL org.apache.catalina.core.AprLifecycleListener - Failed to enter FIPS mode
java.lang.Error: Failed to enter FIPS mode
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:160) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
2025-11-17 14:39:49,162 [main] ERROR org.apache.catalina.startup.Catalina - Error initializing Catalina
org.apache.catalina.LifecycleException: Failed to initialize component [StandardServer[-1]]
        at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:406) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:125) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:690) ~[catalina.jar:9.0.107]
        at org.apache.catalina.startup.Catalina.load(Catalina.java:713) ~[catalina.jar:9.0.107]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:569) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) ~[bootstrap.jar:9.0.107]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) ~[bootstrap.jar:9.0.107]
Caused by: java.lang.Error: Failed to enter FIPS mode
        at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:160) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389) ~[catalina.jar:9.0.107]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:121) ~[catalina.jar:9.0.107]
        ... 8 more

Cause

This is caused by the updated Tomcat version in the later releases.

Resolution

Please follow these steps to resolve:

1. Create openssl_fips.cnf with the below contents, Example: $SPECROOT/openssl_fips.cnf

config_diagnostics = 1
openssl_conf = openssl_init

 

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

 

[provider_sect]
fips = fips_sect
base = base_sect

 

[fips_sect]
activate = 1
module = /usr/lib64/ossl-modules/fips.so

 

[base_sect]
activate = 1

 

[algorithm_sect]
default_properties = fips=yes

2. Edit the $SPECROOT/tomcat/bin/catalina.sh file:

On line 153, create a new line below and add - 

export OPENSSL_CONF=/usr/Spectrum/openssl_fips.cnf

(Use your install path or where you placed the file)

3. Restart Tomcat.

Review the tomcat log file and note the following:

2025-11-23 10:33:35,086 [main] INFO  org.apache.catalina.core.AprLifecycleListener - Using OpenSSL with the FIPS provider as the default provider
2025-11-23 10:33:35,086 [main] INFO  org.apache.catalina.core.AprLifecycleListener - OpenSSL successfully initialized [OpenSSL 3.0.16 11 Feb 2025]

 

Additional Information

Note - the prior old step for FIPS no longer work.  No updates are needed to server.xml file or anything but the above steps. 

Powered by Wolken Software