Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2023.2

...

Table of Contents
maxLevel2

Prerequisites

You should have already completed the instructions found on the Installing Virtualize Server page.

You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:

  • bc-fips-<VERSION>.jar
  • bctls-fips-<VERSION>.jar

Configuring FIPS Mode

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring FIPS Mode

  1. Copy bc-fips-<VERSION>.jar and bctls-fips-<VERSION>.jar into the <INSTALL_DIR>/bin/jars directory.

  2. Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance. For Bouncy Castle, set it as shown below:

    Code Block
    -D orgDorg.bouncycastle.fips.approved_only=true
  3. Open the java.security file in the <INSTALL<JAVA_DIR>/binHOME>/jre/conf/security directory  directory and make the following changes: 

    1. Set the list of security providers by commenting out all existing properties named security.provider.<number> and fips.provider.<number>, then inserting the following lines:

      Code Block
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
      security.provider.3=SUN
    2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      Code Block
      ssl.KeyManagerFactory.algorithm=PKIX
      ssl.TrustManagerFactory.algorithm=PKIX
    3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      Code Block
      keystore.type=fips
      keystore.type.compat=false
    4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      Code Block
      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
  4. Save your changes.
  5. Open the java.policy file in the <INSTALL_DIR>/bin/jre<JAVA_HOME>/conf/security directory and insert the following permissions into the default domain:

    Code Block
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
  6. Save your changes.
  7. Open the logging.properties file in the <INSTALL_DIR>/bin/jre<JAVA_HOME>/conf/ directory  directory and insert the following Bouncy Castle logger configuration:

    Code Block
    org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE
    org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
  8. Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      Code Block
      keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
  9. Copy the keystore.bcfks file to <TOMCAT_HOME>/conf.
  10. Open the server.xml file in the <TOMCAT_HOME>/conf directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"
    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

      Code Block
          <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                     maxThreads="150" SSLEnabled="true"
                     maxParameterCount="1000"
                     >
              <SSLHostConfig>
                <Certificate certificateKeystoreProvider="BCFIPS"
                             certificateKeystoreType="BCFKS"
                             certificateKeystoreFile="conf/keystore.bcfks"
                             certificateKeyAlias="$ALIAS"
                             certificateKeystorePassword="$PASSWORD"
                             type="RSA" />
               </SSLHostConfig>
          </Connector>
  11. Open the context.xml file in the <TOMCAT_HOME>/conf and insert the following line:

    Code Block
    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  12. Save your changes.
  13. Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:

    Code Block
    --module-path=<BC_DIR>