Versions Compared

Old Version 2

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 3

changes.mady.by.user Mark Thomas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add question list to start.

FDA (21 CFR Part 11) Validation

Preface

Wiki Markup
This page discusses using Tomcat in an \[http://www.fda.gov/ FDA\] \[http://www.fda.gov/cdrh/comp/guidance/938.html validated\] environment, i.e. one where \[http://www.21cfrpart11.com/ 21 CFR Part 11\] regulations apply.

Please note that although this page mentions specific companies, we do not explicitly endorse or sell anyone's services. Tomcat and Apache are not-for-profit organizations. This page is also far from a complete listing of vendors and support options. It is meant as a demonstration showing that these options do exist and that running Tomcat in a validated environment is both feasible and reasonable.

Questions

  1. Wiki Markup
    \[#Q1 Can Tomcat be used in a validated environment?\]
  2. Wiki Markup
    \[#Q2 Has anyone actually done it?\]
  3. Wiki Markup
    \[#Q3 Is Tomcat itself validated?\]
  4. Wiki Markup
    \[#Q4 What kind of support is there around validating Tomcat?\]
  5. Wiki Markup
    \[#Q5 How do I know I have a validated release? How do I know no one has tampered with the release package?\]
  6. Wiki Markup
    \[#Q6 What about security? I'm concerned about attacks.\]

Answers

...

Can Tomcat be used in a validated environment?

Yes. There's nothing in Tomcat's design or implementation that prevent it from being used in a validated environment. The same validation procedures and guidelines that apply to most software packages apply to Tomcat as well. Being an open-source application does not preclude Tomcat validation. In fact, it helps in at least one key aspect: the source code itself can be audited, as can the commit and change logs for the software.

AnchorQ2Q2Has anyone actually done it?

Wiki Markup
Yes. As shown in \[http://marc.theaimsgroup.com/?l=tomcat-user&m=109836874319797&w=2 this user mailing list archive\], Merck and other large companies are using Tomcat in a validated environment. In addition, there is at least one application provider (\[http://www.interchangedigital.com/ Interchange Digital\]) whose application runs on Tomcat that has deployed said package in numerous pharma data centers.
AnchorQ3
Q3
Is Tomcat itself validated?
 Wiki Markup
Yes. Tomcat itself is validated to the extent it can be. Tomcat implements two Java Specifications: the \[http://java.sun.com/products/servlet Servlet Specification\] and the \[http://java.sun.com/products/jsp Java Server Pages (JSP) Specification\]. Each of these specifications has a Technology Compatbility Kit (TCK), which is a collection of tests to certify a given product meets the Specification fully and accurately.
 Wiki Markup
The \[http://www.apache.org/ Apache Software Foundation\] is licensed to run these TCKs. They are run against every single Tomcat release. *No Tomcat release is pronounced stable unless it has passed both of these TCKs with 100% compliance*. Therefore, every stable Tomcat release is validated to the extent of Tomcat's core functionality.
 Wiki Markup
Furthermore, any company of individual may \[http://java.sun.com/scholarship/ apply\] to obtains and use these TCKs themselves. That way, you can re-validated Tomcat including any custom patches you have implemented.
However, we cannot validate your application's use of Tomcat. You're on your own there. AnchorQ4Q4
What kind of support is there around validating Tomcat?
Several kinds. They include:
  •  Wiki Markup
    There are numerous smaller \[http://jakarta.apache.org/site/vendors.html vendors\] and several large ones, including IBM, HP, Sun, and Novell, who offer Tomcat consulting and support services, including application auditing, environment assessments, and risk analysis.
  •  Wiki Markup
    There are numerous vendors in addition to the above consultants,
     like SpringSource (formerly Covalent) and JBoss, who offer 
     like \[http://www.covalent.net/ Covalent\] and \[http://www.jboss.org/services/prodsupport JBoss\], who offer 24/7/365 enterprise-level support for Tomcat.
  •  Wiki Markup
    The Tomcat \[http://tomcat.apache.org/lists.html mailing lists\] are extremely active and contain members of many of the above organizations, including contractors available for hire.

    
\\
 AnchorQ5Q5How do I know I have a validated release? How do I know no one has tampered with the release package?
 Wiki Markup
All Tomcat releases are signed using the Release Manager's \[http://www.pgpi.org/doc/pgpintro PGP\] key. The key is also available in the KEYS file that ships with every Tomcat release. The same KEYS file is also available in the Tomcat
 SVN 
 CVS repository (\[http://www.apache.org/dist/tomcat/tomcat-5/KEYS here\]). The PGP signatures are available on all the Tomcat download pages, and can (and should!) be used to verify the release really is the signed distribution.
 Wiki Markup
As for tampering: every Tomcat release is also digested using the MD5 algorithm as specified in \[http://www.faqs.org/rfcs/rfc1321.html RFC1321\]. The MD5 digest is included in all the download pages. Users run MD5 on their local machine to verify that the digest of what they
 downloaded 
 downlaoded is the same as that published in the Apache download pages. That way, users are assured the distribution has not been modified since the Release Manager signed it.
 AnchorQ6Q6
What about security? I'm concerned about attacks.
 Wiki Markup
There's no need to be. See the \[http://wiki.apache.org/tomcat/FAQ/Security security page\] of this FAQ for more information.
CategoryFAQ