Chapter 2. FIPS settings in Red Hat build of OpenJDK 21


At startup, Red Hat build of OpenJDK 21 checks if the system FIPS policy is enabled. If this policy is enabled, Red Hat build of OpenJDK 21 performs a series of automatic configurations that are intended to help Java applications to comply with FIPS requirements.

These automatic configurations include the following actions:

  • Installing a restricted list of security providers that contains the FIPS-certified Network Security Services (NSS) software token module for cryptographic operations
  • Enforcing the Red Hat Enterprise Linux (RHEL) FIPS crypto-policy for Java that limits the algorithms and parameters available
Note

If FIPS mode is enabled in the system while a JVM instance is running, the JVM instance must be restarted to allow changes to take effect.

You can configure Red Hat build of OpenJDK 21 to bypass the described FIPS automation. For example, you might want to achieve FIPS compliance through a Hardware Security Module (HSM) instead of the NSS software token module.

You can specify FIPS configurations by using system or security properties.

To better understand FIPS properties, you must understand the following JDK property classes:

  • System properties are JVM arguments prefixed with -D, which generally take the form of ‑Dproperty.name=property.value. Privileged access is not required to pass any of these values. Only the launched JVM is affected by the configuration, and persistence depends on the existence of a launcher script. UTF-8 encoded values are valid for system properties.
  • Security properties are available in $JRE_HOME/conf/security/java.security or in the file that the java.security.properties system property points to. Privileged access is required to modify values in the $JRE_HOME/conf/security/java.security file. Any modification to this file persists and affects all instances of the same Red Hat build of OpenJDK 21 deployment. Non-Basic Latin Unicode characters must be encoded with \uXXXX.

When system and security properties have the same name and are set to different values, the system property takes precedence. Depending on their configuration, properties might affect other properties with different names.

For more information about security properties and their default values, see the java.security file.

The following list details properties that affect the FIPS configuration for Red Hat build of OpenJDK 21:

PropertyTypeDefault valueDescription

security.useSystemPropertiesFile

Security

true

When set to false, this property disables the FIPS automation, which includes global crypto-policies alignment.

java.security.disableSystemPropertiesFile

System

false

When set to true, this property disables the FIPS automation, which includes global crypto-policies alignment. This has the same effect as a security.useSystemPropertiesFile=false security property. If both properties are set to different behaviors, java.security.disableSystemPropertiesFile takes precedence.

com.redhat.fips

System

true

When set to false, this property disables the FIPS automation while still enforcing the FIPS crypto-policy. If any of the preceding properties are set to disable the FIPS automation, this property has no effect. Crypto-policies are a prerequisite for FIPS automation.

fips.keystore.type

Security

PKCS12

This property sets the default keystore type when Red Hat build of OpenJDK 21 is in FIPS mode. Supported values are PKCS12 and PKCS11.

In addition to the previously described settings, specific configurations can be applied to use NSS DB keystores in FIPS mode. These keystores are handled by the SunPKCS11 security provider and the NSS software token, which is the security provider’s PKCS#11 back end.

The following list details the NSS DB FIPS properties for Red Hat build of OpenJDK 21:

PropertyTypeDefault valueDescription

fips.nssdb.path

System or Security

sql:/etc/pki/nssdb

File-system path that points to the NSS DB location.

The syntax for this property is identical to the nssSecmodDirectory attribute available in the SunPKCS11 NSS configuration file. The property allows an sql: prefix to indicate that the referred NSS DB is of SQLite type.

fips.nssdb.pin

System or Security

pin:
(empty PIN)

PIN (password) for the NSS DB that fips.nssdb.path points to.

You can use this property to pass the NSS DB PIN in one of the following forms:

  • pin:<value>

    In this situation, <value> is a clear text PIN value (for example, pin:1234abc).

  • env:<value>

    In this situation, <value> is an environment variable that contains the PIN value (for example, env:NSSDB_PIN_VAR).

  • file:<value>

    In this situation, <value> is the path to a UTF-8 encoded file that contains the PIN value in its first line (for example, file:/path/to/pin.txt).

The pin:<value> option accommodates both cases in which the PIN value is passed as a JVM argument or programmatically through a system property. Programmatic setting of the PIN value provides flexibility for applications to decide how to obtain the PIN.

The file:<value> option is compatible with NSS modutil -pwfile and -newpwfile arguments, which are used for an NSS DB PIN change.

Note

If a cryptographic operation requires NSS DB authentication and the status is not authenticated, Red Hat build of OpenJDK 21 performs an implicit login with this PIN value. An application can perform an explicit login by invoking KeyStore::load before any cryptographic operation.

Important

Perform a security assessment, so that you can decide on a configuration that protects the integrity and confidentiality of the stored keys and certificates. This assessment should consider threats, contextual information, and other security measures in place, such as operating system user isolation and file-system permissions. For example, default configuration values might not be appropriate for an application storing keys and running in a multi-user environment. Use the modutil tool in RHEL to create and manage NSS DB keystores, and use certutil or keytool to import certificates and keys.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.