Setting up Liberty for FIPS compliance

Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. You can set up Liberty to comply with FIPS requirements by setting system properties and specifying a FIPS-validated security provider.

Before you begin

To prepare your Liberty server for FIPS compliance, you must complete the following prerequisites: Open Liberty For information about running FIPS-compliant Liberty applications with Java 11 or Java 17 on IBM Semeru Runtime, see Run FIPS-compliant applications on the Open Liberty website.

About this task

Federal agencies and other industries rely on cryptography to protect digital information, which is known as data at rest, and communications, which are known as data in motion. FIPS specifies the security requirements that a cryptographic module must satisfy to protect sensitive information. The FIPS certification process requires testing by a NIST-accredited lab and assures users that a specific technology can be used to secure sensitive information. For more information about FIPS, see the National Institute of Standards and Technology.

Procedure

  • In the jvm.options file, set the correct system properties to enable FIPS mode for the IBMJSSE2 provider.

    For the FIPS140-2 standard, set the com.ibm.jsse2.usefipsprovider system property to true. You must also to set the com.ibm.jsse2.usefipsProviderName property to specify a validated FIPS provider.

    In the following jvm.options file example, this property specifies IBMJCEPlusFIPS as the FIPS provider:
    -Dcom.ibm.jsse2.usefipsprovider=true
    -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS

    For more information about how to set system properties in the jvm.options file, see Customizing the Liberty environment.

  • Add a Java Cryptography Extension (JCE) FIPS security provider to the provider list in the java.security file.

    The java.security file is located in the JAVA_HOME/jre/lib/security directory. By default, this file does not include a FIPS security provider. Security providers are listed in the file by order of preference, as specified by the security provider number.

    In the following java.security file example, the com.ibm.crypto.plus.provider.IBMJCEPlusFIPS security provider is specified as the highest priority security provider:
    security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
    security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.3=com.ibm.crypto.provider.IBMJCE
    ...

    For more information about JCE security provider options, see the IBM SDK, Java Technology Edition 8: Security guide.