Versions Compared

Old Version 1

changes.mady.by.user Izabela Jarosz

Saved on

compared with

New Version Current

changes.mady.by.user Izabela Jarosz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Copy bc-fips-<VERSION>.jar and bctls-fips-<VERSION>.jar into the <CPPTEST_INSTALL_DIR>/bin/jars directory.

  2. Use keytool to convert the cacerts file to the FIPS-compliant BCFKS format.
    1. Open the console and execute the following commands:
      Code Block
      cd <CPPTEST_INSTALL_DIR>

mv bin/jre/lib/security/cacerts bin/jre/lib/security/cacerts.pkcs12

./bin/jre/bin/keytool -importkeystore -srckeystore bin/jre/lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore bin/jre/lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bin/jars/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit
    2. Open the the cpptestcli.jvm  file file in the <CPPTEST_INSTALL_DIR>/etc directory, and insert the following line:
      Code Block
      java.arg=-Djavax.net.ssl.trustStorePassword=changeit
  3. Save your changes.

  4. Open the java.security file in the <CPPTEST_INSTALL_DIR>/bin/jre/conf/security/ directory and make the following changes: 

    1. Set the list of security providers by commenting out all existing properties named security.provider.<number>. and inserting the following lines:

      Code Block
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

    2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      Code Block
      ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

    3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      Code Block
      keystore.type=fips
keystore.type.compat=false

    4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      Code Block
      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

    5. Allow only FIPS-approved algorithms:

      Code Block
      org.bouncycastle.fips.approved_only=true
  5. Save your changes.

  6. Open the java.policy file in the <CPPTEST_INSTALL_DIR>/bin/jre/conf/security/ directory and insert the following permissions into the default domain:

    Code Block
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
  7. Save your changes.

  8. Open the logging.properties file in the <CPPTEST_INSTALL_DIR>/bin/jre/conf/ directory and insert the following Bouncy Castle logger configuration:

    Code Block
    org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE
org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE

  9. Save your changes.