You can configure Virtualize so that it is FIPS compliant. This documentation shows how to configure the Virtualize WAR deployment for FIPS compliance using the Bouncy Castle FIPS libraries. FIPS compliance can be configured using other methods, but testing was done using Bouncy Castle FIPS libraries. FIPS mode is only supported for the WAR deployment.

In this section:

Prerequisites

You will need to download the following Bouncy Castle FIPS libraries from https://www.bouncycastle.org/fips-java/:

• bc-fips-<VERSION>.jar
• bctls-fips-<VERSION>.jar

Configuring FIPS Mode

1. Copy bc-fips-<VERSION>.jar and bctls-fips-<VERSION>.jar into the <INSTALL_DIR>/bin/jars directory.

2. Set the system property that allows only FIPS-approved algorithms. This property must be set regardless of the method used to configure your system for FIPS compliance. For Bouncy Castle, set it as shown below:

   -D org.bouncycastle.fips.approved_only=true

3. Open the java.security file in the <INSTALL_DIR>/bin/jre/conf/security directory and make the following changes: 

   1. Set the list of security providers by commenting out all existing properties named security.provider.<number> and inserting the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN

   2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX

   3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      keystore.type=fips keystore.type.compat=false

   4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

4. Save your changes.

5. Open the java.policy file in the <INSTALL_DIR>/bin/jre/conf/security directory and insert the following permissions into the default domain:

   permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";

6. Save your changes.

7. Open the logging.properties file in the <INSTALL_DIR>/bin/jre/conf/ directory and insert the following Bouncy Castle logger configuration:

   org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE

8. Save your changes.