UI Does Not Work in IE with FIPS Compliant Settings
Last Updated January 16, 2009
If you install Vontu 8.1 with the FIPS certified encryption and then try to access the Enforce UI with IE, the browser tells you it cannot find the server. If you use Firefox, you get the UI as expected.
Situation: If you install Vontu 8.1 with the FIPS certified encryption and then try to access the Enforce UI with IE, the browser tells you it cannot find the server. If you use Firefox, you get the UI as expected.
Working Theory: Internet Explorer appears to actively REJECT the TCP handshake request from Tomcat for reasons that are not entirely clear at the moment. Please note that the configuration changes that are spelled out in the Install Guide are in effect, so the browser and client machine O/S are properly configured for SSL and TLS. Tomcat doesn't appear to be using the right level of encryption. Tcpdump on Linux shows the following TCP handshake sequence:
RESET (client)…ad inifinitem
Fix: There are three potential resolutions to this issue:
Add the following attribute to the CONNECTOR tag in the \Vontu\Protect\tomcat\conf\server.xml file:
The following is a list of FIPS approved Ciphers:
Adding the cipher field to the attribute to the CONNECTOR tag limits which ciphers are used.
For example, the tag initially looks like this immediately after a clean installation:
Once the change has been made, bounce the "Vontu Manager" service. You should then be up and running using Internet Explorer.
RESOLUTIONS 2 AND 3
This issue has also been documented by Microsoft in Article 811834. Microsoft recommends the following two methods to resolve this issue:
Method 1 Enable TLS 1.0 protocol support in Internet Explorer first. If you visit a Web site that is running Internet Information Services 4.0 or higher, configuring Internet Explorer to support TLS 1.0 helps to secure your connection (if the remote Web server that you are trying to use supports this protocol). To configure Internet Explorer to support TLS 1.0, follow these steps:
1. On the Tools menu, click Internet Options. 2. On the Advanced tab, under Security, make sure that the following check boxes are selected:
• Use SSL 2.0 • Use SSL 3.0 • Use TLS 1.0
3. Click Apply, and then click OK.
After you enable TLS 1.0, try to visit the Web site again. If you still cannot use SSL, the remote Web server probably does not support TLS 1.0.
If the Web server that you visit does not support TLS 1.0, you must disable the system policy that requires FIPS compliant algorithms. To do this, follow these steps:
In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
In Local Security Settings, expand Local Policies, and then click Security Options.
Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Disabled.
The change takes effect after the local security policy is re-applied.
Some links to articles used to diagnose and fix this problem are listed below: