Fortitude

From 389 Directory Server

[edit]

Introduction

Fortitude is an umbrella term describing web-based cryptographic security products that use the Network Security Services (NSS) libraries. These products, delivered as plug-ins for Apache and Tomcat, allow the operator to replace existing cryptographic services using OpenSSL with NSS.

Fortitude is designed to make migration from an existing secure web service easy and provides the following features:

  • Federal Information Processing Standards (FIPS) 140-2 certified crypto
  • SSLv3 and TLSv1
  • RSA support
  • client certificate authentication
  • hardware accelerators
  • Certificate Revocation Lists (CRLs)
  • Online Certificate Status Protocol (OCSP)
    • Use the URL encoded into the certificate OR
    • Specify a default OCSP responder

It is currently used in the Fedora Directory Server and in the Red Hat Certificate System.

[edit]

Standards-based

Fortitude includes support for a wide range of standards including:

  • Secure Sockets Layer (SSL) 3.0
  • Transport Layer Security (TLS) 1.0
  • Public Key Cryptography Standard (PKCS) #11
  • Federal Information Processing Standards (FIPS)-140
[edit]

Components

Fortitude consists of several components.

  • mod_nss provides SSL capabilities to Apache.
  • mod_revocator enables automatic retrieval and installation of Certificate Revocation Lists (CRLs) into a running Apache web server.
  • A Java Secure Socket Extension (JSSE) compliant plug-in based on NSS is being developed for Tomcat.
[edit]

Configuration

Fortitude is also a standalone web server (in /opt/fortitude) using Apache and Tomcat that is pre-configured to use mod_nss and mod_revocator. It also includes a set of perl scripts to help migrate from the Netscape Enterprise Server to Apache.

[edit]

Requirements

Fortitude requires the NSS, NSPR and Mozilla LDAPSDK packages (LDAPSDK is only needed if you are using mod_revocator). This causes a problem on some operating systems that include the Mozilla browser libraries in /usr/lib. The problem is that these tend to be older than what is needed for mod_nss. The short-term solution is to use separate server-only copies of these libraries. The assumed location of these is /usr/lib[64]/dirsec (for Directory & Security). As such blindly building these srpms will result in a non-installable package.

[edit]

Packages

These source packages are just the standalone Fortitude. They consist of configuration files and migration scripts.

fortitude-web-1.0-27.src.rpm

Retrieved from "http://directory.fedoraproject.org/wiki/Fortitude"
Account