Federal Information Processing Standards (FIPS) are standards and guidelines that are
issued by the National Institute of Standards and Technology (NIST) for federal government computer
systems. You can set up Liberty to comply
with FIPS requirements by setting system properties and specifying a FIPS-validated security
provider.
Before you begin
To prepare your Liberty server for
FIPS compliance, you must complete the following prerequisites:
For information about
running FIPS-compliant Liberty applications
with Java 11 or Java 17 on IBM Semeru Runtime, see Run
FIPS-compliant applications on the Open Liberty website.
About this task
Federal agencies and other industries rely on cryptography to protect digital information, which
is known as data at rest, and communications, which are known as data in motion. FIPS specifies the
security requirements that a cryptographic module must satisfy to protect sensitive information. The
FIPS certification process requires testing by a NIST-accredited lab and assures users that a
specific technology can be used to secure sensitive information. For more information about FIPS,
see the National Institute of Standards and Technology.
Procedure
- In the
jvm.options
file, set the correct system properties to enable FIPS mode for the IBMJSSE2 provider.
For the FIPS140-2 standard, set the com.ibm.jsse2.usefipsprovider
system
property to true
. You must also to set the
com.ibm.jsse2.usefipsProviderName
property to specify a validated FIPS
provider.
In the following
jvm.options
file example, this property specifies
IBMJCEPlusFIPS
as the FIPS provider:
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
For more information about how to set system properties in the jvm.options
file, see Customizing the Liberty environment.
- Add a Java Cryptography Extension (JCE) FIPS
security provider to the provider list in the
java.security
file.
The java.security
file is located in the
JAVA_HOME/jre/lib/security
directory. By default, this file does not include a FIPS
security provider. Security providers are listed in the file by order of preference, as specified by
the security provider number.
In the following
java.security
file example, the
com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security provider is specified as the
highest priority security
provider:
security.provider.1=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
...
For more information about JCE security provider options, see the IBM SDK, Java Technology Edition 8: Security guide.