Enabling FIPS 140-3

Enable FIPS 140-3 mode in IBM® Semeru Certified Edition for z/OS® by setting system properties at startup to activate the OpenJCEPlusFIPS provider and enforce NIST cryptographic constraints.

About this task

Enabling FIPS 140-3 mode is achieved by setting two primary system properties at startup. This configuration automatically prioritizes the OpenJCEPlusFIPS provider and enforces the cryptographic constraints defined in the NIST security policy.

Procedure

  1. Add the following arguments to your JVM startup command to activate FIPS 140-3 mode:
    • -Dsemeru.fips=true - Master switch that enables the FIPS 140-3 restricted security mode
    • -Dsemeru.customprofile=[ProfileName] - Specifies the enforcement level
  2. Select a restricted security profile based on your security requirements:

    IBM Semeru Runtimes provide three distinct profiles to balance strict FIPS 140-3 alignment with application compatibility.

    Table 1. Restricted security profiles
    Profile name Description Recommended use
    OpenJCEPlusFIPS.FIPS140-3 Strict profile: Only NIST-approved algorithms are allowed. Removes non-approved providers. High-security production environments that require full FIPS 140-3 conformity.
    OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced Balanced profile: Builds on the strict profile while allowing essential services such as PKCS12 and RMI (with specific configurations). Applications requiring standard keystore support while maintaining high assurance.
    OpenJCEPlusFIPS.FIPS140-3-Weakly-Enforced Default profile: Prefers FIPS algorithms but allows common non-cryptographic algorithms for legacy support. Initial migration testing or applications with mixed security requirements.

    For more information about profiles, see FIPS 140-3 cryptography solution in IBM Semeru Runtimes.

    Note: You can also create custom profile extensions that inherit from these base profiles. For more information, see Profile extensions in the post-requisites section.
  3. Run your application with the selected FIPS 140-3 profile:

    Example command using the strict FIPS 140-3 profile:

    java -Dsemeru.fips=true \
     -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3 \
     -jar your-application.jar
  4. Verify that FIPS 140-3 mode is active:

    Check the internal system property com.ibm.fips.mode. If the configuration is successful, it returns the value 140-3.

Results

The application runs in FIPS 140-3 mode with the selected security profile enforcing cryptographic constraints.

What to do next

  1. Profile enforcement behavior - The behavior of IBM Semeru Runtime and the OpenJCEPlusFIPS provider varies based on the selected profile. The following table shows how the runtime handles activation failures and enforcement.
    Table 2. Runtime activation failure and enforcement behavior
    Profile Failure behavior Enforcement logic
    OpenJCEPlusFIPS.FIPS140-3 Fail-fast. The JVM typically throws an InternalError or a ConfigurationException during provider initialization if the module cannot enter FIPS mode. Non-FIPS algorithms are physically disabled or removed from the provider list.
    OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced Balanced. If the self-tests fail, the provider enters an error state, and subsequent cryptographic calls fail. Blocks the use of non-approved algorithms but allows the JVM to start.
    OpenJCEPlusFIPS.FIPS140-3-Weakly-Enforced Permissive. This is largely for migration. If FIPS cannot activate, it may log a warning and continue using non-FIPS implementations. Allows side-by-side execution of FIPS and non-FIPS algorithms.
  2. Important considerations
    Programmatic overrides
    Once a FIPS profile is loaded, security properties are locked. Any attempt to use Security.setProperty() or Security.insertProviderAt() to bypass the profile results in a SecurityException.
    Hardware requirements
    Ensure you are running on a certified 64-bit supported platform. If the platform is not supported, the JVM fails to start when these properties are present.
    Profile extensions
    You can customize security configurations by building upon existing restricted security profiles. This mechanism functions similarly to class inheritance in Java™, where a new profile inherits all properties of a base profile but can selectively override or supplement them. For more information, see FIPS 140-3 enablement guide.
  3. Additional resources

    For more information, see the following resources.