...
- bc-fips-<VERSION>.jar
- bctls-fips-<VERSION>.jar
Configuring FIPS Mode
...
You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.
Configuring FIPS Mode
Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance. For Bouncy Castle, set it as shown below:
Code Block -D orgDorg.bouncycastle.fips.approved_only=true
Open the java.security file in the
<INSTALL<JAVA_DIR>HOME>/bin/jre/conf/securitydirectory directory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>andfips.provider.<number>, then inserting the following lines:Code Block security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the
javax.net.sslpackage to PKIX.Code Block ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
Code Block keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:Code Block securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
- Save your changes.
Open the java.policy file in the
<INSTALL<JAVA_DIR>/binHOME>/jre/conf/securitydirectory and insert the following permissions into the default domain:Code Block permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<INSTALL_DIR>/bin/jre<JAVA_HOME>/conf/directory directory and insert the following Bouncy Castle logger configuration:Code Block org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:
- -storetype BCFKS
- -providerName BCFIPS
- -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
- -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
Example keytool command:
Code Block keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
- Copy the keystore.bcfks file to
<TOMCAT_HOME>/conf. Open the server.xml file in the
<INSTALL_DIR>/app/tomcat/conf/directory and add the following attributes to the<Connector>element:- certificateKeystoreProvider="BCFIPS"
certificateKeystoreType="BCFKS"
certificateKeystoreFile="conf/keystore.bcfks"
For example:Code Block <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>
Open the context.xml file in the
<TOMCAT_HOME>/confand insert the following line:Code Block <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />- Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:
Code Block --module-path=<BC_DIR> - Save your changes.