fix(docker): relocate libtcnative-1 to /srv/native-libs for correct FIPS removal

dotCMS/src/main/docker/original/Dockerfile

@@ -92,6 +92,19 @@ COPY --from=container-base /java /java
 COPY --from=container-base /srv /srv
 COPY --from=container-base /data /data
 
+# Move libtcnative-1 to /srv/native-libs (owned by dotcms user) and leave symlinks
+# in /usr/lib. This lets the FIPS detection script remove the library at runtime
+# without root access — making the symlinks dangling so dlopen() fails to load it.
+RUN set -e; \
+    ARCH=$(uname -m); \
+    mkdir -p /srv/native-libs; \
+    for f in /usr/lib/${ARCH}-linux-gnu/libtcnative-1.so.0*; do \
+        [ -e "$f" ] || continue; \
+        mv "$f" /srv/native-libs/; \
+        ln -sf "/srv/native-libs/$(basename "$f")" "$f"; \
+    done; \
+    chown -R dotcms:dotcms /srv/native-libs
+
 USER $USER_UID:$USER_GID
 ENV JAVA_HOME="/java"
 ENV PATH=$PATH:/java/bin

dotCMS/src/main/docker/original/ROOT/srv/15-detect-fips-and-set-ssl-engine.sh

@@ -2,17 +2,27 @@
 
 # FIPS Mode Detection and APR SSL Engine Configuration
 # =====================================================
-# This script automatically detects FIPS-enabled environments and disables the
-# Tomcat Native APR SSL Engine to prevent JVM crashes with OpenSSL 3.x.
+# This script automatically detects FIPS-enabled environments and prevents
+# libtcnative-1 from loading to avoid JVM crashes with OpenSSL 3.x in FIPS mode.
 #
-# The Tomcat Native APR library (libtcnative-1) version 1.2.35 is incompatible
-# with OpenSSL 3.x when running in FIPS mode, causing segmentation faults.
+# Root cause: libtcnative-1 links against libcrypto.so.3. On a FIPS-enabled kernel,
+# OpenSSL 3.x requires the FIPS provider (fips.so) to be present before allowing
+# any crypto operation. Ubuntu 24.04 does not ship fips.so, so the first OpenSSL
+# crypto call (e.g. EVP_MD_get0_provider for random number generation) segfaults.
+# This happens regardless of SSLEngine or AprLifecycleListener configuration because
+# setenv.sh sets java.library.path to /usr/lib/<arch>-linux-gnu/ and Tomcat auto-
+# detects and loads libtcnative-1 from there even without an AprLifecycleListener.
+#
+# Fix: The Dockerfile moves libtcnative-1.so.0* to /srv/native-libs/ (owned by the
+# dotcms user) and leaves symlinks in /usr/lib. When FIPS is detected, this script
+# removes the files in /srv/native-libs/, making the symlinks dangling. dlopen() then
+# fails to load the library regardless of java.library.path or server.xml config.
 #
 # Configuration Options:
 # ----------------------
 # 1. Automatic FIPS Detection (default behavior):
 #    - The script checks /proc/sys/crypto/fips_enabled
-#    - If FIPS is enabled, CMS_SSL_ENGINE is automatically set to 'off'
+#    - If FIPS is enabled, libtcnative-1 is removed and CMS_SSL_ENGINE is set to 'off'
 #
 # 2. Manual Override with CMS_DISABLE_APR_SSL:
 #    - Set CMS_DISABLE_APR_SSL=true to disable APR SSL Engine
@@ -53,6 +63,16 @@ elif [[ "${FIPS_ENABLED}" == "true" ]]; then
     echo "[FIPS Detection] Automatically disabling APR SSL Engine due to FIPS mode"
     echo "[FIPS Detection] This prevents JVM crashes with OpenSSL 3.x in FIPS environments"
     echo "[FIPS Detection] Tomcat will use Java JSSE for SSL/TLS instead"
+    # Remove libtcnative-1 from /srv/native-libs (writable by dotcms user).
+    # The Dockerfile placed the library there and left symlinks in /usr/lib.
+    # Removing the target makes the symlinks dangling so dlopen() cannot load
+    # the library regardless of java.library.path or server.xml configuration.
+    if rm -f /srv/native-libs/libtcnative-1.so.0* && \
+       ! ls /srv/native-libs/libtcnative-1.so.0* >/dev/null 2>&1; then
+        echo "[FIPS Detection] libtcnative-1 removed from /srv/native-libs — library cannot be loaded"
+    else
+        echo "[FIPS Detection] WARNING: Failed to remove libtcnative-1 from /srv/native-libs — JVM may still crash"
+    fi
     export CMS_SSL_ENGINE="off"
 else
     # Default: Keep APR SSL Engine enabled for performance benefits