You can configure Jtest so that it is FIPS compliant.

In this section:

Prerequisites

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:

• bc-fips-<VERSION>.jar (tested with version 2.0.0)
• bctls-fips-<VERSION>.jar (tested with version 2.0.19)
• bcutil-fips-<VERSION>.jar (tested with version 2.0.3)

You can place these libraries wherever you choose. This location will be referred to as <BC_DIR> below.

Configuring FIPS Mode for jtestcli

1. Copy bc-fips-<VERSION>.jar, bctls-fips-<VERSION>.jar and bcutil-fips-<VERSION>.jar into the <JTEST_INSTALL_DIR>/bin directory.

2. Use keytool to convert the cacerts file to the FIPS-compliant BCFKS format.
   1. Open the console and execute the following commands:

      cd <JTEST_INSTALL_DIR> mv bin/jre/lib/security/cacerts bin/jre/lib/security/cacerts.pkcs12 ./bin/jre/bin/keytool -importkeystore -srckeystore bin/jre/lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore bin/jre/lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bin/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit

      
      

   2. Open the jtestcli.jvm file in the <JTEST_INSTALL_DIR>/etc directory, and insert the following line:

      java.arg=-Djavax.net.ssl.trustStorePassword=changeit

3. Save your changes.

4. Open the java.security file in the <JTEST_INSTALL_DIR>/bin/jre/conf/security/ directory and make the following changes: 

   1. Set the list of security providers by commenting out all existing properties named security.provider.<number>. and inserting the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN

   2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX

   3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      keystore.type=fips keystore.type.compat=false

   4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

   5. Allow only FIPS-approved algorithms:

      org.bouncycastle.fips.approved_only=true

5. Save your changes.

6. Open the java.policy file in the <JTEST_INSTALL_DIR>/bin/jre/conf/security/ directory and insert the following permissions into the default domain:

   permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

7. Save your changes.

8. Open the logging.properties file in the <JTEST_INSTALL_DIR>/bin/jre/conf/ directory and insert the following Bouncy Castle logger configuration:

   org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE

9. Save your changes.

Configuring FIPS Mode for jtestcov

1. Use keytool to convert the cacerts file to the FIPS-compliant BCFKS format. Open the console and execute the following commands:

   cd <JAVA_HOME> mv lib/security/cacerts lib/security/cacerts.pkcs12 ./bin/keytool -importkeystore -srckeystore lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <BC_DIR>/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit

2. Save your changes.

3. Open the java.security file in the <JAVA_HOME>/conf/security directory and make the following changes: 

   1. Set the list of security providers by commenting out all existing properties named security.provider.<number> and fips.provider.<number>, then inserting the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN

   2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX

   3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      keystore.type=fips keystore.type.compat=false

   4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN

   5. Allow only FIPS-approved algorithms:

      org.bouncycastle.fips.approved_only=true

4. Save your changes.

5. Open the java.policy file in the <JAVA_HOME>/conf/security directory and insert the following permissions into the default domain:

   permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";

6. Save your changes.

7. Open the logging.properties file in the <JAVA_HOME>/conf directory and insert the following Bouncy Castle logger configuration:

   org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE

8. Save your changes.

9. Add the option that points to the Bouncy Castle FIPS libraries and the option that specifies the password required to access the trust store to your Java command line:

   --module-path=<BC_DIR> -Djavax.net.ssl.trustStorePassword=changeit