Closed colvinco closed 1 year ago
We haven't tested Liberty with Bouncy Castle as the JSSE provider. From your report it sounds like it doesn't work.
FIPS 140-2 is being replaced with FIPS 140-3 so you can't get new certifications for it and the existing ones are starting to expire out. I'm not aware of a FIPS 140-3 certified JSSE either.
When we document FIPS we chose to focus on a working FIPS certified JSSE implementations which are on IBM Java 8, or for Seamer on Red Hat. You could possibly configure JSSE in Semeru to just allow the FIPS compatible options, but I don't know what those options would be.
Hello. We have a Java 11 application in Liberty, and would like to be able to configure Liberty in a FIPS 140-2 compliant manner on Windows Server 2016.
The documented support for FIPS compliance with Java 11 uses Semeru, and "support for FIPS with Semeru Runtimes is available only on Red Hat Enterprise Linux (RHEL) 8 on x86 platforms". I believe that IBM SDK 8 would have been an option on Windows if our application was still on Java 8, but Semeru is Linux/AIX only.
-Dorg.bouncycastle.fips.approved_only=true
as the RSA key size for LTPA is only 1024 bits), however when I actually make a request to the application, the SSL handshake times out and doesn't give an obvious reason for not completing. (note: Without the BC FIPS module HTTPS is working normally)JSSEProviderFactory
since then.Has anyone had any success with it? Thanks
For reference, I've got my java.security configured with
My jvm.options has
If I include
-Dorg.bouncycastle.fips.approved_only=true
in it then I getSo I know that BC is definitely being invoked.