Chapter 2. FIPS settings in Red Hat build of OpenJDK 17

PDF

At startup, Red Hat build of OpenJDK 17 checks if the system FIPS policy is enabled. If this policy is enabled, Red Hat build of OpenJDK 17 performs a series of automatic configurations that are intended to help Java applications to comply with FIPS requirements.

These automatic configurations include the following actions:

Installing a restricted list of security providers that contains the FIPS-certified Network Security Services (NSS) software token module for cryptographic operations
Enforcing the Red Hat Enterprise Linux (RHEL) FIPS crypto-policy for Java that limits the algorithms and parameters available

Note

If FIPS mode is enabled in the system while a JVM instance is running, the JVM instance must be restarted to allow changes to take effect.

You can configure Red Hat build of OpenJDK 17 to bypass the described FIPS automation. For example, you might want to achieve FIPS compliance through a Hardware Security Module (HSM) instead of the NSS software token module.

You can specify FIPS configurations by using system or security properties.

To better understand FIPS properties, you must understand the following JDK property classes:

System properties are JVM arguments prefixed with -D, which generally take the form of ‑Dproperty.name=property.value. Privileged access is not required to pass any of these values. Only the launched JVM is affected by the configuration, and persistence depends on the existence of a launcher script. UTF-8 encoded values are valid for system properties.
Security properties are available in $JRE_HOME/conf/security/java.security or in the file that the java.security.properties system property points to. Privileged access is required to modify values in the $JRE_HOME/conf/security/java.security file. Any modification to this file persists and affects all instances of the same Red Hat build of OpenJDK 17 deployment. Non-Basic Latin Unicode characters must be encoded with \uXXXX.

When system and security properties have the same name and are set to different values, the system property takes precedence. Depending on their configuration, properties might affect other properties with different names.

For more information about security properties and their default values, see the java.security file.

The following list details properties that affect the FIPS configuration for Red Hat build of OpenJDK 17:

Property	Type	Default value	Description
`security.useSystemPropertiesFile`	Security	`true`	When set to `false`, this property disables the FIPS automation, which includes global crypto-policies alignment.
`java.security.disableSystemPropertiesFile`	System	`false`	When set to `true`, this property disables the FIPS automation, which includes global crypto-policies alignment. This has the same effect as a `security.useSystemPropertiesFile=false` security property. If both properties are set to different behaviors, `java.security.disableSystemPropertiesFile` takes precedence.
`com.redhat.fips`	System	`true`	When set to `false`, this property disables the FIPS automation while still enforcing the FIPS crypto-policy. If any of the preceding properties are set to disable the FIPS automation, this property has no effect. Crypto-policies are a prerequisite for FIPS automation.
`fips.keystore.type`	Security	`PKCS12`	This property sets the default keystore type when Red Hat build of OpenJDK 17 is in FIPS mode. Supported values are `PKCS12` and `PKCS11`.

In addition to the previously described settings, specific configurations can be applied to use NSS DB keystores in FIPS mode. These keystores are handled by the SunPKCS11 security provider and the NSS software token, which is the security provider’s PKCS#11 back end.

The following list details the NSS DB FIPS properties for Red Hat build of OpenJDK 17:

Property Type Default value Description

Property	Type	Default value	Description
`fips.nssdb.path`	System or Security	`sql:/etc/pki/nssdb`	File-system path that points to the NSS DB location. The syntax for this property is identical to the `nssSecmodDirectory` attribute available in the `SunPKCS11` NSS configuration file. The property allows an `sql:` prefix to indicate that the referred NSS DB is of SQLite type.
`fips.nssdb.pin`	System or Security	`pin:` (empty PIN)	PIN (password) for the NSS DB that `fips.nssdb.path` points to. You can use this property to pass the NSS DB PIN in one of the following forms: `pin:<value>` In this situation, `<value>` is a clear text PIN value (for example, `pin:1234abc`). `env:<value>` In this situation, `<value>` is an environment variable that contains the PIN value (for example, `env:NSSDB_PIN_VAR`). `file:<value>` In this situation, `<value>` is the path to a UTF-8 encoded file that contains the PIN value in its first line (for example, `file:/path/to/pin.txt`). The `pin:<value>` option accommodates both cases in which the PIN value is passed as a JVM argument or programmatically through a system property. Programmatic setting of the PIN value provides flexibility for applications to decide how to obtain the PIN. The `file:<value>` option is compatible with NSS `modutil -pwfile` and `-newpwfile` arguments, which are used for an NSS DB PIN change. Note If a cryptographic operation requires NSS DB authentication and the status is not authenticated, Red Hat build of OpenJDK 17 performs an implicit login with this PIN value. An application can perform an explicit login by invoking `KeyStore::load` before any cryptographic operation.

fips.nssdb.path

System or Security

sql:/etc/pki/nssdb

File-system path that points to the NSS DB location.

The syntax for this property is identical to the nssSecmodDirectory attribute available in the SunPKCS11 NSS configuration file. The property allows an sql: prefix to indicate that the referred NSS DB is of SQLite type.

fips.nssdb.pin

System or Security

pin:
(empty PIN)

PIN (password) for the NSS DB that fips.nssdb.path points to.

You can use this property to pass the NSS DB PIN in one of the following forms:

pin:<value>
In this situation, <value> is a clear text PIN value (for example, pin:1234abc).
env:<value>
In this situation, <value> is an environment variable that contains the PIN value (for example, env:NSSDB_PIN_VAR).
file:<value>
In this situation, <value> is the path to a UTF-8 encoded file that contains the PIN value in its first line (for example, file:/path/to/pin.txt).

The pin:<value> option accommodates both cases in which the PIN value is passed as a JVM argument or programmatically through a system property. Programmatic setting of the PIN value provides flexibility for applications to decide how to obtain the PIN.

The file:<value> option is compatible with NSS modutil -pwfile and -newpwfile arguments, which are used for an NSS DB PIN change.

Note

If a cryptographic operation requires NSS DB authentication and the status is not authenticated, Red Hat build of OpenJDK 17 performs an implicit login with this PIN value. An application can perform an explicit login by invoking KeyStore::load before any cryptographic operation.

Important

Perform a security assessment, so that you can decide on a configuration that protects the integrity and confidentiality of the stored keys and certificates. This assessment should consider threats, contextual information, and other security measures in place, such as operating system user isolation and file-system permissions. For example, default configuration values might not be appropriate for an application storing keys and running in a multi-user environment. Use the modutil tool in RHEL to create and manage NSS DB keystores, and use certutil or keytool to import certificates and keys.

Additional resources

For more information about enabling FIPS mode, see Switching the system to FIPS mode.

Chapter 2. FIPS settings in Red Hat build of OpenJDK 17

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links