How do I install a FIPS 140-2 compliant web server on Red Hat Enterprise Linux using Apache and NSS's mod_nss?

Updated

Some users require their web servers' cryptographic libraries to have been accredited according to the Content from en.wikipedia.org is not included.FIPS 140-2 U.S. government computer security standard.

At the time of this writing, the cryptographic libraries in OpenSSL have not yet been FIPS 140-2 accredited.

However, in addition to OpenSSL, Red Hat Enterprise Linux 4 and Red Hat Enterprise Linux 5 provide FIPS 140-2 certified cryptography through the Content from www.mozilla.org is not included.Network Security Services (NSS) libraries.  These libraries are certified to Level 1 and Level 2.  The original certification is available from Content from csrc.nist.gov is not included.NIST and ongoing validation compliance is affirmed by Red Hat in accordance with the Content from csrc.nist.gov is not included.FIPS 140-2 Implementation Guidance, G.5.

The following instructions show how to install a basic web server with a self-signed certificate that uses NSS's FIPS 140-2 accredited cryptographic libraries.

  1. Install the httpd and mod_nss packages and their associated dependencies. 
    [www.example.com]# yum install httpd mod_nss

  2. Edit /etc/httpd/conf.d/nss.conf to (1) modify the Listen and VirtualHost lines to use port 443 which is the default port for secure http traffic, and (2) add the line "NSSFIPS on" line before the VirtualHost line to enable FIPS mode which is disabled by default.  When done, the noted modifications should look like the following:

    [www.example.com]# grep -i -e ^Listen -e ^NSSFIPS -e ^\<VirtualHost /etc/httpd/conf.d/nss.conf 
Listen 443
NSSFIPS on
<VirtualHost _default_:443>

  3. Make sure that the mod_ssl package is not installed because it uses port 443 by default and it is not yet FIPS 140-2 accredited.

    [www.example.com]# rpm -q mod_ssl
package mod_ssl is not installed

    Simply removing /etc/httpd/conf.d/ssl.conf may work in the near term, but any updates to the mod_ssl package would deploy a new /etc/httpd/conf.d/ssl.conf which would result in the port conflicts noted above.If mod_ssl is required for other purposes, modify /etc/httpd/conf.d/ssl.conf to use a port other than 443 to prevent mod_ssl conflicting with mod_nss.

  4. Modify firewall rules to persistently allow TCP traffic on port 443.

  5. Set a password on the certificate database.  A password is required to be compliant with FIPS 140-2 security policy.  For our purposes we will use "redhat".  The initial password is blank so just hit enter to provide the old password.  If you wish to clear the current password later, you can enter the current password and then just hit enter twice to set the new password to be an empty string.

    [www.example.com]# modutil -dbdir /etc/httpd/alias -changepw "NSS Certificate DB"

    WARNING: Performing this operation while the browser is running could cause
    
corruption of your security databases. If the browser is currently running,
    
you should exit browser before continuing this operation. Type 
    
'q <enter>' to abort, or <enter> to continue: 
    

    Enter old password: 
    
Enter new password: 
    
Re-enter new password: 
    
Token "NSS Certificate DB" password changed successfully.

  6. Start Apache.  It will prompt you for the certificate database password we just created.

    [www.example.com]# service httpd start
Starting httpd: Please enter password for "NSS FIPS 140-2 Certificate DB" token:
[  OK  ]

  7. Verify that mod_nss is indeed running in FIPS mode.  If FIPS mode is working, /var/log/httpd/nss_error_log will report that non-FIPS certified cipers are disabled.

    [www.example.com]# tail /var/log/httpd/nss_error_log
[Tue Feb 24 11:48:17 2009] [error] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling.
[Tue Feb 24 11:48:17 2009] [error] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling.
[Tue Feb 24 11:48:17 2009] [error] Cipher rsa_rc4_128_md5 is enabled but this is not a FIPS cipher, disabling.
[Tue Feb 24 11:48:17 2009] [error] Cipher rsa_rc4_128_sha is enabled but this is not a FIPS cipher, disabling.

  8. Test your configuration by using a web client on another system to obtain the Apache default page and examine the server's /var/log/httpd/nss_access_log to confirm that mod_nss served the page out.

    [client.example.com]# links --dump https://www.example.com > /dev/null

    [www.example.com]# tail /var/log/httpd/nss_access_log 
172.31.254.115 - - [24/Feb/2009:11:52:00 -0500] "GET / HTTP/1.1" 403 3985

  9. Configure the server to start Apache at boot time.  Note that an operator will need to be present to enter the certificate database password during system boot in this configuration.

    [www.example.com]# chkconfig httpd on
To provide the certificate database automatically when the httpd service is started, do the following:

  1. Edit /etc/httpd/conf.d/nss.conf to set NSSPassPhraseDialog to point to a file containing the password instead of prompting each time.

    NSSPassPhraseDialog file:/etc/httpd/conf/password.conf

  2. Edit /etc/httpd/conf/password.conf to contain the certificate database password.  In the example above, we used "redhat".

    internal:redhat
NSS FIPS 140-2 Certificate DB:redhat

  3. Since the certificate database password is stored in cleartext, set the file permissions on the certificate database password file to be only readable by the apache user.

    [www.example.com]# chown apache.apache /etc/httpd/conf/password.conf
[www.example.com]# chmod 600 /etc/httpd/conf/password.conf

  4. Restart Apache and note that it starts without prompting for the password.

    [www.example.com]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

  5. Test your configuration by using a web client on another system to obtain the Apache default page and examine the server's /var/log/httpd/nss_access_log to confirm that mod_nss served the page out.

    [client.example.com]# links --dump https://www.example.com > /dev/null

    [www.example.com]# tail /var/log/httpd/nss_access_log 
172.31.254.115 - - [24/Feb/2009:11:52:00 -0500] "GET / HTTP/1.1" 403 3985
172.31.254.115 - - [24/Feb/2009:12:01:27 -0500] "GET / HTTP/1.1" 403 3985
For more information about NSS, mod_nss, and certificate management with NSS, the following links are very useful:

Content from www.mozilla.org is not included.Content from www.mozilla.org is not included.http://www.mozilla.org/projects/security/pki/nss

Content from directory.fedoraproject.org is not included.Content from directory.fedoraproject.org is not included.http://directory.fedoraproject.org/wiki/Mod_nss

Content from www.mozilla.org is not included.Content from www.mozilla.org is not included.http://www.mozilla.org/projects/security/pki/nss/tools

Product(s)
Components
Tags
Article Type