You can enable and disable FIPS (Federal Information Processing Standards) mode for the Commvault Tomcat service.
Enabling FIPS Mode
FIPS mode can be enabled on clients running the Commvault Tomcat Service, which is used to host Command Center and other Commvault web applications.
Prerequisites
-
Tomcat must be configured to use a valid, CA-signed certificate. Using an invalid certificate effectively negates the security advantages offered by FIPS mode.
-
Tomcat's keystore must be in PKCS12 format. FIPS mode is not compatible with JKS keystores.
Procedure
-
Stop the Commvault Tomcat service.
-
Run one of the following commands using a prompt/shell with administrative privileges:
-
Windows:
ContentStore\Base\cvConfigureTomcat.cmd enableFipsMode -
Linux:
ContentStore/Base/cvConfigureTomcat.sh enableFipsMode
-
-
Start the Commvault Tomcat service.
Confirming That FIPS Mode Is Successfully Enabled
To confirm that the Tomcat configuration has been updated, open Tomcat's ContentStore/Apache/server.xml configuration file and make sure it contains an XML block similar to the code shown below (the XML element may contain additional attributes used to back up the previous configuration):
Listener className="commvault.tomcatfips.CvFipsProviderLifecycleListener" FIPSMode="on"/
To confirm that Tomcat has successfully started up in FIPS mode, open the Tomcat_0.log file and make sure the following line is logged:
commvault.tomcatfips.CvFipsProviderLifecycleListener initialize: FIPS mode is enabled
Disabling FIPS Mode
You can disable FIPS mode.
Procedure
-
Stop the Commvault Tomcat service.
-
Run one of the following commands using a prompt/shell with administrative privileges:
-
Windows:
ContentStore\Base\cvConfigureTomcat.cmd disableFipsMode -
Linux:
ContentStore/Base/cvConfigureTomcat.sh disableFipsMode
-
-
Start the Commvault Tomcat service.
Note
When disabling FIPS mode, the configuration utility will restore the TLS protocols and cipher values that were originally in use before FIPS mode was enabled. Over time, those values can become obsolete, so they should be reviewed and updated as required by your organization's security policies. For more information, see Configuring the SSL Certificate for Tomcat Server.
Confirming That FIPS Mode Is Successfully Disabled
To confirm that Tomcat's configuration has been updated, open Tomcat's ContentStore/Apache/server.xml configuration file and make sure the CvFipsProviderLifecycleListener block (as described in "Enabling FIPS Mode", above) is no longer present.
To confirm that Tomcat is no longer in FIPS mode once it has started up, open the Tomcat_0.log file and confirm that it no longer reports that FIPS mode is enabled (as described in the "Enabling FIPS Mode" section, above).
Additional Information
FIPS and FIPS Mode
FIPS (Federal Information Processing Standards) are a set of security-related standards used by United States government agencies and contractors. For more information, see Compliance FAQs: Federal Information Processing Standards (FIPS).
When the Commvault Tomcat service runs in FIPS mode, Tomcat will only use FIPS 140-3 validated security providers when establishing secure connections with clients.
Note
When operating in FIPS mode, Tomcat will only accept connections from clients that support modern, secure security protocols and ciphers. Recent versions of major web browsers such as Chrome, Edge, and Firefox will be compatible, but some older clients may not be. When FIPS mode is enabled, proxies, load balancers, and application gateways should all be tested for compatibility.
Implementation and FIPS Validation Details
Commvault's FIPS mode implementation uses BC-FJA (Bouncy Castle FIPS Java API), which is FIPS 140-3 validated (CMVP Certificate #4743).
BC-FJA is a pure java FIPS certified Cryptographic API, so Commvault's FIPS mode implementation does not depend on any native libraries. OpenSSL and tcnative are not required.