Skip to content

Commit

Permalink
Add experimental FIPS support
Browse files Browse the repository at this point in the history
  • Loading branch information
@pega-roska
pega-roska committed Jan 16, 2025
1 parent 13d7f72 commit e312ea3
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 1 deletion.
20 changes: 19 additions & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,16 +206,34 @@ RUN mkdir -p /opt/pega/kafkadata && \
chmod -R g+rw /opt/pega/kafkadata && \
chown -R pegauser /opt/pega/kafkadata

# Set up dir for prometheus lib
# download necessary jars
RUN apt-get update && \
apt-get install -y gpg && \
rm -rf /var/lib/apt/lists/* && \
mkdir -p /opt/pega/prometheus && \
mkdir -p /opt/pega/bcfips && \
curl -sL -o /opt/pega/prometheus/jmx_prometheus_javaagent.jar https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar && \
curl -sL -o /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.18.0/jmx_prometheus_javaagent-0.18.0.jar.asc && \
gpg --import /keys/prometheus.asc && \
gpg --verify /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc /opt/pega/prometheus/jmx_prometheus_javaagent.jar && \
rm /tmp/jmx_prometheus_javaagent-0.18.0.jar.asc && \
curl -sL -o /opt/pega/bcfips/bc-fips-2.0.0.jar https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar && \
curl -sL -o /tmp/bc-fips-2.0.0.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/2.0.0/bc-fips-2.0.0.jar.asc && \
curl -sL -o /opt/pega/bcfips/bctls-fips-2.0.19.jar https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar && \
curl -sL -o /tmp/bctls-fips-2.0.19.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/2.0.19/bctls-fips-2.0.19.jar.asc && \
curl -sL -o /opt/pega/bcfips/bcpkix-fips-2.0.7.jar https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar && \
curl -sL -o /tmp/bcpkix-fips-2.0.7.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-fips/2.0.7/bcpkix-fips-2.0.7.jar.asc && \
curl -sL -o /opt/pega/bcfips/bcutil-fips-2.0.3.jar https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar && \
curl -sL -o /tmp/bcutil-fips-2.0.3.jar.asc https://repo1.maven.org/maven2/org/bouncycastle/bcutil-fips/2.0.3/bcutil-fips-2.0.3.jar.asc && \
gpg --import /keys/bc_maven_public_key.asc && \
gpg --verify /tmp/bc-fips-2.0.0.jar.asc /opt/pega/bcfips/bc-fips-2.0.0.jar && \
rm /tmp/bc-fips-2.0.0.jar.asc && \
gpg --verify /tmp/bctls-fips-2.0.19.jar.asc /opt/pega/bcfips/bctls-fips-2.0.19.jar && \
rm /tmp/bctls-fips-2.0.19.jar.asc && \
gpg --verify /tmp/bcpkix-fips-2.0.7.jar.asc /opt/pega/bcfips/bcpkix-fips-2.0.7.jar && \
rm /tmp/bcpkix-fips-2.0.7.jar.asc && \
gpg --verify /tmp/bcutil-fips-2.0.3.jar.asc /opt/pega/bcfips/bcutil-fips-2.0.3.jar && \
rm /tmp/bcutil-fips-2.0.3.jar.asc && \
apt-get autoremove --purge -y gpg && \
chgrp -R 0 /opt/pega/prometheus && \
chmod -R g+rw /opt/pega/prometheus && \
Expand Down
25 changes: 25 additions & 0 deletions keys/bc_maven_public_key.asc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGR/8HUBDADJ+V5VgTXFG4xVI/1r07a/pTXoAQhHyJMkVdFScGARsps07VXI
IsYgPsifOFU55E7uRMZPTLAx5F1uxoZAWGtXIz0d4ISKhobFquH8jZe7TnsJBJNV
eo3u7G54iSfLifiJ4q17NvaESBNSirPaAPfEni93+gQvdn3zVnDPfO+mhO00l/fE
5GnqHt/Q2z2WKVQt3Vg0R66phe2XaFnycY/d+an73FiXqhuhm4sXlcA++gfSt1H1
K7+ApqJsX9yw79A1FlGTPOeimqZqE75+OyQ9Kz0XTvN/GmHeEygTrNEnMDTr1BWz
P0/ut0UXmktJtJXgLi5wUCncwwi+UpCSwwou7/3r+eBh5aykxSo9OtYe4xPNKWSo
EiPZXpCH5Wjq9TpXOuhnZvRFqbR24mWz5+J/DoaVP3pwEhGXxr5VjVc1f8gJ8A34
YYPlxUGcl8f3kykzvl4X5HDIbHb9MAl+9qtwQo1tFA9umD2Da/8bSsxrnZdkkzEA
OpJYwT1EkQRZRcUAEQEAAbRmVGhlIExlZ2lvbiBvZiB0aGUgQm91bmN5IENhc3Rs
ZSBJbmMuIChNYXZlbiBSZXBvc2l0b3J5IEFydGlmYWN0IFNpZ25lcikgPGJjbWF2
ZW5zeW5jQGJvdW5jeWNhc3RsZS5vcmc+iQHUBBMBCgA+FiEEexIbdqftbObmCtUX
hOkTqOOnSMAFAmR/8HUCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQhOkTqOOnSMCTYgv/c9RSHcO056c7G3mH94eTqCMNSzhaiVIMKPgRwro10vpu
hOLdRfwkxe9nsa9tDGiv64sqUZADfnPxNP6mSE4la+fucwn5j1KxIicQt11zRO/e
Ep2vqBZoq60D9p23foDi4/XGuKtnwYQxyaLrvkFaAUpKYzCr7aU1ftqFfE+lKyYB
poQtib1PNqltKs/dX0IHACOeYbZ+j4YZnd6Qsl1XhDtVAYzIW60A3nDwDjOWTNaQ
2W0qX4xrG5XetqnhQj+nwGtkJFXJj7FF1QkIcWiwkAQZTxZk3F0hxlNrZY2rq9BE
nbmwMMCk8S/nn9gBeGriom2StkZC+1Bv/w7BS5fWUW9YzJ5803RVkOd+8Taeu2yn
XUvPNfvijmRO1doTXl7uE5fXAxFmG0+09W5sLVf0KBtdrQ1jzFUZas5iPQiXDNTF
aD3d7kQH7divX3PoZIbq1aaiI2yVI8k5MCYjQPQJbDiBGZumxgkm8J5ooOYVkR9F
dETovzOLJ8QqCzo41kBp
=gIeQ
-----END PGP PUBLIC KEY BLOCK-----
6 changes: 6 additions & 0 deletions tomcat-bin/setenv.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,12 @@ else
echo "No krb5.conf was specified in ${krb5_conf}."
fi

if [ "${FIPS_140_3_MODE}" == "true" ]; then
JAVA_OPTS="${JAVA_OPTS} -Dorg.bouncycastle.fips.approved_only=true"
export CLASSPATH="/opt/pega/bcfips/*"
HIGHLY_SECURE_CRYPTO_MODE_ENABLED = true
fi

if [ "${HIGHLY_SECURE_CRYPTO_MODE_ENABLED}" == "true" ]; then
JAVA_OPTS="${JAVA_OPTS} -DHighSecureCryptoModeEnabled=true "
fi
Expand Down

0 comments on commit e312ea3

Please sign in to comment.