Chapter 2. FIPS settings in Red Hat build of OpenJDK 21
At startup, Red Hat build of OpenJDK 21 checks if the system FIPS policy is enabled. If this policy is enabled, Red Hat build of OpenJDK 21 performs a series of automatic configurations that are intended to help Java applications to comply with FIPS requirements.
These automatic configurations include the following actions:
- Installing a restricted list of security providers that contains the FIPS-certified Network Security Services (NSS) software token module for cryptographic operations
- Enforcing the Red Hat Enterprise Linux (RHEL) FIPS crypto-policy for Java that limits the algorithms and parameters available
If FIPS mode is enabled in the system while a JVM instance is running, the JVM instance must be restarted to allow changes to take effect.
You can configure Red Hat build of OpenJDK 21 to bypass the described FIPS automation. For example, you might want to achieve FIPS compliance through a Hardware Security Module (HSM) instead of the NSS software token module.
You can specify FIPS configurations by using system or security properties.
To better understand FIPS properties, you must understand the following JDK property classes:
-
System properties are JVM arguments prefixed with
-D
, which generally take the form of‑Dproperty.name=property.value
. Privileged access is not required to pass any of these values. Only the launched JVM is affected by the configuration, and persistence depends on the existence of a launcher script. UTF-8 encoded values are valid for system properties. -
Security properties are available in
$JRE_HOME/conf/security/java.security
or in the file that thejava.security.properties
system property points to. Privileged access is required to modify values in the$JRE_HOME/conf/security/java.security
file. Any modification to this file persists and affects all instances of the same Red Hat build of OpenJDK 21 deployment. Non-Basic Latin Unicode characters must be encoded with\uXXXX
.
When system and security properties have the same name and are set to different values, the system property takes precedence. Depending on their configuration, properties might affect other properties with different names.
For more information about security properties and their default values, see the java.security
file.
The following list details properties that affect the FIPS configuration for Red Hat build of OpenJDK 21:
Property | Type | Default value | Description |
---|---|---|---|
| Security |
|
When set to |
| System |
|
When set to |
| System |
|
When set to |
| Security |
|
This property sets the default keystore type when Red Hat build of OpenJDK 21 is in FIPS mode. Supported values are |
In addition to the previously described settings, specific configurations can be applied to use NSS DB keystores in FIPS mode. These keystores are handled by the SunPKCS11
security provider and the NSS software token, which is the security provider’s PKCS#11
back end.
The following list details the NSS DB FIPS properties for Red Hat build of OpenJDK 21:
Property | Type | Default value | Description |
---|---|---|---|
| System or Security |
| File-system path that points to the NSS DB location.
The syntax for this property is identical to the |
| System or Security |
|
PIN (password) for the NSS DB that You can use this property to pass the NSS DB PIN in one of the following forms:
The
The Note
If a cryptographic operation requires NSS DB authentication and the status is not authenticated, Red Hat build of OpenJDK 21 performs an implicit login with this PIN value. An application can perform an explicit login by invoking |
Perform a security assessment, so that you can decide on a configuration that protects the integrity and confidentiality of the stored keys and certificates. This assessment should consider threats, contextual information, and other security measures in place, such as operating system user isolation and file-system permissions. For example, default configuration values might not be appropriate for an application storing keys and running in a multi-user environment. Use the modutil
tool in RHEL to create and manage NSS DB keystores, and use certutil
or keytool
to import certificates and keys.
Additional resources
- For more information about enabling FIPS mode, see Switching the system to FIPS mode.