Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Enhance HTTP Endpoint Security with TLS and FIPS-140-2 Compliant Cryptography

Description

To adhere to the Library of Congress (LoC) standards regarding the strong encryption of data in transit, it is essential that all exposed HTTP endpoints in our Java module utilizing the Vert.x toolkit are secured using TLS and FIPS-140-2 compliant cryptographic modules.

Requirements:

  1. TLS Support:

    • The edge module must support enabling and disabling SSL/TLS for served HTTP endpoints.

    • Include detailed logging for SSL/TLS activations or deactivations to aid in troubleshooting and auditing.

  2. FIPS 140-2 Compliance:

    • Implement functionality to enable or disable the usage of FIPS 140-2 compliant cryptographic modules. Use Bouncy Castle's Java FIPS library as the cryptographic provider (refer to Bouncy Castle FIPS Java).

    • Ensure that the module can be configured to run in either a strict FIPS mode or in a non-FIPS mode for development and testing purposes.

  3. Keystore Configuration:

    • The module should provide configuration parameters to specify:

      • The location of the keystore file (keystorePath).

      • The keystore password (keystorePassword).

      • The specific key alias to use within the keystore (keyAlias).

    • Ensure all sensitive configuration inputs (like passwords) are handled securely, preferably using environment variables or secure vault solutions.

  4. Documentation and Samples:

    • Provide detailed documentation on how to configure and use these security features.

    • Include example configurations and code snippets in the module's README or an accompanying documentation page.

  5. Testing:

    • Implement comprehensive unit and integration tests to verify TLS functionality and the use of FIPS-compliant cryptographic modules.

    • Tests should cover both positive scenarios (correct configuration) and negative scenarios (incorrect configurations, missing keystore, etc.).

  6. Performance Considerations:

    • Evaluate the impact of enabling FIPS-compliant cryptography on the performance of HTTP endpoint communications.

    • Document any observed performance overheads and provide tuning guidelines if necessary.

Acceptance Criteria:

  • All exposed HTTP endpoints must be capable of operating with SSL/TLS encryption.

  • The module must be configurable to use FIPS 140-2 compliant cryptographic modules and fall back to non-FIPS mode as required.

  • Configuration changes and the operational state (enabled/disabled) of these features must be logged.

  • The solution must pass all specified tests and should not introduce significant performance degradation.

  • Documentation must be complete and user-friendly, enabling easy setup and configuration by end-users.

Environment

None

Potential Workaround

None

CSP Request Details

None

CSP Rejection Details

None

Checklist

hide

Activity

Show:

Serhii_Nosko December 30, 2024 at 3:03 PM

It looks good, closing this ticket.

Denis May 31, 2024 at 2:26 PM

Hello , could you please check/close the ticket?

Serhii_Nosko May 28, 2024 at 1:16 PM

Implemented and merged in scope of this PR:

Closing this ticket

CC:

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Thunderjet

Fix versions

Release

Quesnelia (R1 2024) Bug Fix

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created May 6, 2024 at 12:12 PM
Updated December 30, 2024 at 3:03 PM
Resolved May 28, 2024 at 1:16 PM
TestRail: Cases
TestRail: Runs