The Bouncy Castle Crypto API FIPS compatible Security Provider works well with Azul Zing. It's used in the same was as with OpenJDK. The required files bc-fips.jar and bctls-fips.jar are available on https://bouncycastle.org for download.
Example usage with the Azul Zing java command line of Java 11, 17 and 21:
--module-path=/DIR/bc-fips.jar:/DIR/bctls-fips.jar -Djava.security.properties=/DIR/bcfips.security -Dorg.bouncycastle.fips.approved_only=true -Djavax.net.ssl.trustStore=/DIR/cacerts.bcfks -Djavax.net.ssl.trustStorePassword=changeit
To create the cacerts.bcfks collection of root certificates in the special BouncyCastle format from the standard list of root certificates included in the JRE/JDK:
keytool -importkeystore \ -srckeystore /opt/zing/zing-jdk17/lib/security/cacerts \
-srcstoretype JKS -srcstorepass changeit \
-destkeystore /DIR/cacerts.bcfks -deststoretype BCFKS -deststorepass changeit \ -provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerpath /DIR/bc-fips.jar
Example for the file /DIR/bcfips.security:
# usage: -Djava.security.properties=/DIR/bcfips.security # If both properties files, the standard java.security and bcfips.security
# specify values for the same key, the value from the bcfips.security is used.
# The list of security.provider.3 and higher numbers
# needs to be copied from your existing java.security file of the JRE/JDK. security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:DEFRND[HMACSHA512];ENABLE{ALL} security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL
security.provider.14=Apple
security.provider.15=SunPKCS11
#
keystore.type=BCFKS ssl.KeyManagerFactory.algorithm=PKIX
In case your application doesn't indicate in text output or log files whether the BounceCastle security provider is really enabled, the following page has an example code to list the current active provider: How can one programmatically check if a FIPS compatible security provider is enabled?
For Azul Zulu we have FIPS 140-2 compliant Zulu 8 and Zulu 11 available: https://azul.com/contact
Add Comment
Comments
Please sign in to leave a comment.