如何运行完全符合FIPS的Spring Boot应用程序

前言#1:这里可以找到一些一般性的（但不完整的）说明。

前言#2:以下要求具有FIPS 140-2认证模块的OpenSSL。在Ubuntu上，这些仅适用于Ubuntu16.04上的“Ubuntu Advantage高级客户”！看这里和这里。

• $sudo apt install libapr1 libapr1-dev（这里可能是sudo apt install libapr1-dev libssl-dev，请参见此处）
• 从此处下载tomcat-native-1.2.23-src，解压缩，转到tomcat-native-1.2.23-src/native/
• $。/configure--with-apr=/usr/bin/apr-1-config--with-java-home=/path/to/java-home/--with-ssl=yes
• $make
• 将-djava.library.path=/path/to/tomcat-native-1.2.23-src/native/.libs添加到jvm args
• 将以下内容添加到项目中

import org.apache.catalina.core.AprLifecycleListener;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.Ssl;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class AprConfig {

  @Bean
  public ServletWebServerFactory servletContainer() {
    TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
      @Override
      public Ssl getSsl() {
        // avoid "IllegalStateException: To use SSL, the connector's protocol handler must be an AbstractHttp11JsseProtocol subclass":
        return null;
      }
    };

    // enable APR:
    factory.setProtocol("org.apache.coyote.http11.Http11AprProtocol");

    AprLifecycleListener aprLifecycleListener = new AprLifecycleListener();

    // will throw "FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS." with default OpenSSL:
    aprLifecycleListener.setFIPSMode("on");

    factory.addContextLifecycleListeners(aprLifecycleListener);
    return factory;
  }
}

运行完全符合FIPS的Spring Boot应用程序需要

• 某些配置（见上文）
• 具有支持Java版本的FIPS兼容库的操作系统