You can configure Virtualize so that it is FIPS compliant. This documentation shows how to configure the Virtualize WAR deployment for FIPS compliance using the Bouncy Castle FIPS libraries. FIPS compliance can be configured using other methods, but testing was done using Bouncy Castle FIPS libraries. FIPS mode is only supported for the WAR deployment.
In this section:
Prerequisites
You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:
- bc-fips-<VERSION>.jar
- bctls-fips-<VERSION>.jar
You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.
Configuring FIPS Mode
Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance.
-Dorg.bouncycastle.fips.approved_only=true
Open the java.security file in the
<JAVA_HOME>/conf/securitydirectory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>andfips.provider.<number>, then inserting the following lines:security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the
javax.net.sslpackage to PKIX.ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
- Save your changes.
Open the java.policy file in the
<JAVA_HOME>/conf/securitydirectory and insert the following permissions into the default domain:permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<JAVA_HOME>/confdirectory and insert the following Bouncy Castle logger configuration:org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
Create a new keystore file of type "BCFKS" where server certificates will be hosted. The following options must be included:
- -storetype BCFKS
- -providerName BCFIPS
- -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
- -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
Example keytool command:
keytool -genkey -keyalg RSA -alias <ALIAS> -storetype BCFKS -keystore keystore.bcfks -storepass <PASSWORD> -keysize 2048 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar
- Copy the keystore.bcfks file to
<TOMCAT_HOME>/conf. Open the server.xml file in the
<INSTALL_DIR>/app/tomcat/conf/directory and add the following attributes to the<Connector>element:- certificateKeystoreProvider="BCFIPS"
certificateKeystoreType="BCFKS"
certificateKeystoreFile="conf/keystore.bcfks"
For example:<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreProvider="BCFIPS" certificateKeystoreType="BCFKS" certificateKeystoreFile="conf/keystore.bcfks" certificateKeyAlias="$ALIAS" certificateKeystorePassword="$PASSWORD" type="RSA" /> </SSLHostConfig> </Connector>
Open the context.xml file in the
<TOMCAT_HOME>/confand insert the following line:<Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
- Add the following Java option to your startup command to point to the Bouncy Castle FIPS libraries:
--module-path=<BC_DIR>
- Save your changes.
