This is a general question about FIPS mode in Apache Tomcat
We are expected to adhere to the Apache Tomcat STIG (https://www.stigviewer.com/stig/apache_tomcat_application_sever_9/2020-12-11/finding/V-222968), but given our setup, I want to know if it even buys us anything. Our setup: HTTPS traffic flows from an external load balancer (managed by another team) where it validates / authenticates a user via PKI. The traffic is then forwarded on to our server over plain old HTTP 8080 where it hits Apache HTTPD. Only the load balancer is allowed to connect to our server on this port. From there, HTTPD proxies / reverse proxies the traffic over AJP (I forget the exact port number) to Tomcat. Only localhost connections are allowed to connect over the AJP port. Thus, since no cryptography (I don't think) is handled on our side, what would enabling FIPS mode in Tomcat actually get us? Please let me know if I'm missing something.
In case it matters:
- Apache Tomcat 8.0.45, but we're upgrading to 9.x
- Apache HTTPD 2.4.42
- Java 1.8
- OpenSSL is 1.x and is FIPS capable (at least it says FIPS in the version)
- Red Hat 7 (FIPS mode is enabled as far as I can tell)