You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

You can configure dotTEST so that it is FIPS compliant.

In this section:

Prerequisites

You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/fips-java/:

  • bc-fips-<VERSION>.jar (tested with version 1.0.2.4)
  • bctls-fips-<VERSION>.jar (tested with version 1.0.17)

Configuring FIPS Mode in dotTEST

  1. Copy bc-fips-<VERSION>.jar and bctls-fips-<VERSION>.jar into the <DOTTEST_INSTALL_DIR>/bin/dottest/java/jars directory.

  2. Open the java.security file in the <DOTTEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/security/ directory and make the following changes: 

    1. Set the list of security providers by commenting out all existing properties named security.provider.<number>. and inserting the following lines:

      security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
      security.provider.3=SUN
    2. Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.

      ssl.KeyManagerFactory.algorithm=PKIX
      ssl.TrustManagerFactory.algorithm=PKIX
    3. Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.

      keystore.type=fips
      keystore.type.compat=false
    4. (Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:

      securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
    5. Allow only FIPS-approved algorithms:

      org.bouncycastle.fips.approved_only=true
  3. Save your changes.
  4. Open the java.policy file in the <DOTTEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/security/ directory and insert the following permissions into the default domain:

    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAglorithmsEnabled";
  5. Save your changes.
  6. Open the logging.properties file in the <DOTTEST_INSTALL_DIR>/bin/dottest/Jre_x64/conf/ directory and insert the following Bouncy Castle logger configuration:

    org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE
    org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE
  7. Save your changes.


  • No labels