Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add experimental FIPS support #231

Merged
merged 3 commits into from
Feb 12, 2025
Merged

Add experimental FIPS support #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e312ea3
Add experimental FIPS support
pega-roska Jan 16, 2025
83bf61d
Add handling for java.security.overwrite.tmpl
APegaDavis Jan 28, 2025
c3073e6
Fix syntax issue with setting env variable
APegaDavis Feb 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,16 +206,34 @@ RUN mkdir -p /opt/pega/kafkadata && \
chmod -R g+rw /opt/pega/kafkadata && \
chown -R pegauser /opt/pega/kafkadata

# Set up dir for prometheus lib
# download necessary jars
RUN apt-get update && \
apt-get install -y gpg && \
rm -rf /var/lib/apt/lists/* && \
mkdir -p /opt/pega/prometheus && \
mkdir -p /opt/pega/bcfips && \
curl -sL -o /opt/pega/prometheus/jmx_prometheus_javaagent.jar https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar && \
curl -sL -o /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar.asc && \
gpg --import /keys/prometheus.asc && \
gpg --verify /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc /opt/pega/prometheus/jmx_prometheus_javaagent.jar && \
rm /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc && \
curl -sL -o /opt/pega/bcfips/bc-fips-2.0.0.jar https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar && \
curl -sL -o /tmp/bc-fips-2.0.0.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar.asc && \
curl -sL -o /opt/pega/bcfips/bctls-fips-2.0.19.jar https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar && \
curl -sL -o /tmp/bctls-fips-2.0.19.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar.asc && \
curl -sL -o /opt/pega/bcfips/bcpkix-fips-2.0.7.jar https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar && \
curl -sL -o /tmp/bcpkix-fips-2.0.7.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar.asc && \
curl -sL -o /opt/pega/bcfips/bcutil-fips-2.0.3.jar https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar && \
curl -sL -o /tmp/bcutil-fips-2.0.3.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar.asc && \
gpg --import /keys/bc_maven_public_key.asc && \
gpg --verify /tmp/bc-fips-2.0.0.jar.asc /opt/pega/bcfips/bc-fips-2.0.0.jar && \
rm /tmp/bc-fips-2.0.0.jar.asc && \
gpg --verify /tmp/bctls-fips-2.0.19.jar.asc /opt/pega/bcfips/bctls-fips-2.0.19.jar && \
rm /tmp/bctls-fips-2.0.19.jar.asc && \
gpg --verify /tmp/bcpkix-fips-2.0.7.jar.asc /opt/pega/bcfips/bcpkix-fips-2.0.7.jar && \
rm /tmp/bcpkix-fips-2.0.7.jar.asc && \
gpg --verify /tmp/bcutil-fips-2.0.3.jar.asc /opt/pega/bcfips/bcutil-fips-2.0.3.jar && \
rm /tmp/bcutil-fips-2.0.3.jar.asc && \
apt-get autoremove --purge -y gpg && \
chgrp -R 0 /opt/pega/prometheus && \
chmod -R g+rw /opt/pega/prometheus && \
Expand Down
25 changes: 25 additions & 0 deletions keys/bc_maven_public_key.asc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGR/8HUBDADJ+V5VgTXFG4xVI/1r07a/pTXoAQhHyJMkVdFScGARsps07VXI
IsYgPsifOFU55E7uRMZPTLAx5F1uxoZAWGtXIz0d4ISKhobFquH8jZe7TnsJBJNV
eo3u7G54iSfLifiJ4q17NvaESBNSirPaAPfEni93+gQvdn3zVnDPfO+mhO00l/fE
5GnqHt/Q2z2WKVQt3Vg0R66phe2XaFnycY/d+an73FiXqhuhm4sXlcA++gfSt1H1
K7+ApqJsX9yw79A1FlGTPOeimqZqE75+OyQ9Kz0XTvN/GmHeEygTrNEnMDTr1BWz
P0/ut0UXmktJtJXgLi5wUCncwwi+UpCSwwou7/3r+eBh5aykxSo9OtYe4xPNKWSo
EiPZXpCH5Wjq9TpXOuhnZvRFqbR24mWz5+J/DoaVP3pwEhGXxr5VjVc1f8gJ8A34
YYPlxUGcl8f3kykzvl4X5HDIbHb9MAl+9qtwQo1tFA9umD2Da/8bSsxrnZdkkzEA
OpJYwT1EkQRZRcUAEQEAAbRmVGhlIExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3Rs
ZSBJbmMuIChNYXZlbiBSZXBvc2l0b3J5IEFydGlmYWN0IFNpZ25lcikgPGJjbWF2
ZW5zeW5jQGJvdW5jeWNhc3RsZS5vcmc+iQHUBBMBCgA+FiEEexIbdqftbObmCtUX
hOkTqOOnSMAFAmR/8HUCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQhOkTqOOnSMCTYgv/c9RSHcO056c7G3mH94eTqCMNSzhaiVIMKPgRwro10vpu
hOLdRfwkxe9nsa9tDGiv64sqUZADfnPxNP6mSE4la+fucwn5j1KxIicQt11zRO/e
Ep2vqBZoq60D9p23foDi4/XGuKtnwYQxyaLrvkFaAUpKYzCr7aU1ftqFfE+lKyYB
poQtib1PNqltKs/dX0IHACOeYbZ+j4YZnd6Qsl1XhDtVAYzIW60A3nDwDjOWTNaQ
2W0qX4xrG5XetqnhQj+nwGtkJFXJj7FF1QkIcWiwkAQZTxZk3F0hxlNrZY2rq9BE
nbmwMMCk8S/nn9gBeGriom2StkZC+1Bv/w7BS5fWUW9YzJ5803RVkOd+8Taeu2yn
XUvPNfvijmRO1doTXl7uE5fXAxFmG0+09W5sLVf0KBtdrQ1jzFUZas5iPQiXDNTF
aD3d7kQH7divX3PoZIbq1aaiI2yVI8k5MCYjQPQJbDiBGZumxgkm8J5ooOYVkR9F
dETovzOLJ8QqCzo41kBp
=gIeQ
-----END PGP PUBLIC KEY BLOCK-----
6 changes: 5 additions & 1 deletion scripts/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ final_config_root=$config_root

if [ "$IS_PEGA_CONFIG_COMPRESSED" == true ]; then
final_config_root=$decompressed_root
file_list=("prlog4j2.xml" "prconfig.xml" "context.xml" "server.xml" "web.xml" "tomcat-users.xml" "catalina.properties" "prbootstrap.properties" "java.security.overwrite" "tomcat-web.xml" "server.xml.tmpl" "context.xml.tmpl")
file_list=("prlog4j2.xml" "prconfig.xml" "context.xml" "server.xml" "web.xml" "tomcat-users.xml" "catalina.properties" "prbootstrap.properties" "java.security.overwrite" "tomcat-web.xml" "server.xml.tmpl" "context.xml.tmpl" "java.security.overwrite.tmpl")
# decompressing the files if exists
for filename in "${file_list[@]}"; do
if [ -e "${config_root}/${filename}" ]; then
Expand Down Expand Up @@ -342,6 +342,10 @@ fi
if [ -e "${java_security_overwrite}" ]; then
echo "Loading java.security.overwrite from ${java_security_overwrite}...";
cp "${java_security_overwrite}" "${CATALINA_HOME}/conf/"
elif [ -e "${final_config_root}/java.security.overwrite.tmpl" ]; then
echo "No java.security.overwrite was specified in ${java_security_overwrite}. Generating from templates"
cp ${final_config_root}/java.security.overwrite.tmpl "${CATALINA_HOME}"/conf/java.security.overwrite.tmpl
/bin/detemplatize -template "${CATALINA_HOME}"/conf/java.security.overwrite.tmpl:"${CATALINA_HOME}"/conf/java.security.overwrite
else
echo "No java.security.overwrite was specified in ${java_security_overwrite}. Using defaults."
fi
Expand Down
6 changes: 6 additions & 0 deletions tomcat-bin/setenv.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ else
echo "No krb5.conf was specified in ${krb5_conf}."
fi

if [ "${FIPS_140_3_MODE}" == "true" ]; then
JAVA_OPTS="${JAVA_OPTS} -Dorg.bouncycastle.fips.approved_only=true"
export CLASSPATH="/opt/pega/bcfips/*"
HIGHLY_SECURE_CRYPTO_MODE_ENABLED=true
fi

if [ "${HIGHLY_SECURE_CRYPTO_MODE_ENABLED}" == "true" ]; then
JAVA_OPTS="${JAVA_OPTS} -DHighSecureCryptoModeEnabled=true "
fi
Expand Down
Loading