You can configure dotTEST so that it is FIPS compliant.
In this section:
Prerequisites
You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:
- bc-fips-<VERSION>.jar (tested with version 2.0.0)
- bctls-fips-<VERSION>.jar (tested with version 2.0.19)
- bcutil-fips-<VERSION>.jar (tested with version 2.0.3)
You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.
Configuring FIPS Mode for dottestcli
Copy bc-fips-<VERSION>.jar, bctls-fips-<VERSION>.jar and bcutil-fips-<VERSION>.jar into the
<DOTTEST_INSTALL_DIR>/bin/dottest/java/jarsdirectory.- Use
keytoolto convert the cacerts file to the FIPS-compliant BCFKS format.- Open the console and execute the following commands:
cd <DOTTEST_INSTALL_DIR> move bin\dottest\Jre_x64\lib\security\cacerts bin\dottest\Jre_x64\lib\security\cacerts.pkcs12 bin\dottest\Jre_x64\bin\keytool.exe -importkeystore -srckeystore bin\dottest\Jre_x64\lib\security\cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore bin\dottest\Jre_x64\lib\security\cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bin\dottest\java\jars\bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit
Open the dottestcli.jvm file in the
<DOTTEST_INSTALL_DIR>\etcdirectory, and insert the following line:-Djavax.net.ssl.trustStorePassword=changeit
- Open the console and execute the following commands:
- Save your changes.
Open the java.security file in the
<DOTTEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/security/directory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>. and inserting the following lines:security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.
ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
keystore.type=fips keystore.type.compat=false
(Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:
securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
Allow only FIPS-approved algorithms:
org.bouncycastle.fips.approved_only=true
- Save your changes.
Open the java.policy file in the
<DOTdirectory and insert the following permissions into the default domain:TEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/security/permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<DOTTEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/directory and insert the following Bouncy Castle logger configuration:org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE
Save your changes.
Configuring FIPS Mode for dottestcov
- Use
keytoolto convert the cacerts file to the FIPS-compliant BCFKS format. Open the console and execute the following commands:cd <JAVA_HOME> mv lib/security/cacerts lib/security/cacerts.pkcs12 ./bin/keytool -importkeystore -srckeystore lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit
- Save your changes.
Open the java.security file in the
<JAVA_HOME>/conf/securitydirectory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>andfips.provider.<number>, then inserting the following lines:security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the
javax.net.sslpackage to PKIX.ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
keystore.type=fips keystore.type.compat=false
(Linux only) Add the
NativePRNGNonBlockingalgorithm to the list of known strong SecureRandom implementations:securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
- Allow only FIPS-approved algorithms:
org.bouncycastle.fips.approved_only=true
- Save your changes.
Open the java.policy file in the
<JAVA_HOME>/conf/securitydirectory and insert the following permissions into the default domain:permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<JAVA_HOME>/confdirectory and insert the following Bouncy Castle logger configuration:org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE
- Save your changes.
Add the option that points to the Bouncy Castle FIPS libraries and the option that specifies the password required to access the trust store to your Java command line:
--module-path=<BC_DIR> -Djavax.net.ssl.trustStorePassword=changeit
You can use the
PTESTCOV_OPTSenvironment variable to do that, or modify the Java command line in thedottestcov.bat/dottest.shscript.
