Versions Compared

Old Version 2

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2025.1

...

You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:

  • bc-fips-<VERSION>.jar (tested with version 2.0.0)

  • bctls-fips-<VERSION>.jar (tested with version 2.0.19)

  • bcutil-fips-<VERSION>.jar (tested with version 2.0.3)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

...

  1. Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance.

    Code Block
    -Dorg.bouncycastle.fips.approved_only=true

  2. If you are using a version of Java higher than 17, use keytool to convert the cacerts file to the FIPS-compliant BCFKS format:

    1. Open the console and execute the following commands:
      Code Block
      cd <SOATEST & VIRTUALIZE_INSTALL_DIR>
<JAVA_HOME>
 
mv bin/jre/lib/security/cacerts bin/jre/lib/security/cacerts.pkcs12
 
./bin/jre/bin/keytool -importkeystore -srckeystore bin/jre/lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore bin/jre/lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bin<BC_DIR>/jars/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit
    2. Open the soatestcli.jvm file in the <SOATEST & VIRTUALIZE_INSTALL_DIR>/etc directory, and insert the following lineSet the system property to specify the password required to access the trust store:
      Code Block
      java.arg=-Djavax.net.ssl.trustStorePassword=changeit

  3. Open the java.security file in the <JAVA_HOME>/conf/security directory and make the following changes: 

    1. Set the list of security providers by commenting out all existing properties named security.provider.<number> and fips.provider.<number>, then inserting the following lines:

      Code Block
      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN

    2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      Code Block
      ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX

    3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      Code Block
      keystore.type=fips
keystore.type.compat=false

    4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      Code Block
      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
  4. Save your changes.

  5. Open the java.policy file in the <JAVA_HOME>/conf/security directory and insert the following permissions into the default domain:

    Code Block
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
  6. Save your changes.

  7. Open the logging.properties file in the <JAVA_HOME>/conf directory and insert the following Bouncy Castle logger configuration:

    Code Block
    org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE
org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE

  8. Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:

    • -storetype BCFKS
    • -providerName BCFIPS
    • -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    • -providerpath <BC_DIR>/bc-fips-<VERSION>.jar

      Example keytool command:

      Code Block
      keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
  9. Copy the keystore.bcfks file to <TOMCAT_HOME>/conf.

  10. Open the server.xml file in the <TOMCAT_HOME>/conf directory and add the following attributes to the <Connector> element:

    • certificateKeystoreProvider="BCFIPS"

    • certificateKeystoreType="BCFKS"

    • certificateKeystoreFile="conf/keystore.bcfks"
      For example:

      Code Block
          <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true"
               maxParameterCount="1000"
               >
        <SSLHostConfig>
          <Certificate certificateKeystoreProvider="BCFIPS"
                       certificateKeystoreType="BCFKS"
                       certificateKeystoreFile="conf/keystore.bcfks"
                       certificateKeyAlias="$ALIAS"
                       certificateKeystorePassword="$PASSWORD"
                       type="RSA" />
         </SSLHostConfig>
    </Connector>

  11. Open the context.xml file in the <TOMCAT_HOME>/conf and insert the following line:

    Code Block
    <Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
  12. Save your changes.

  13. Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:

    Code Block
    --module-path=<BC_DIR>

...