Configure a FIPS 140-2 Compliant Java Provider on RedHat/CentOS/Fedora

If you're using any form of cryptography in Java, you might be aware of NIST FIPS 140-2, which lays out what you can and cannot use on federal information processing systems.

Oracle documentation, true to form, only gets you 80% of the way there.  Here's their technical notes on FIPS 140 compliance.

So here are the step-by-step instructions for configuring java with a FIPS-compliant Provider (SunPKCS11-NSS).

First, you need to install the libraries if you haven't already.  These are written by Mozilla, and have gone through NIST's Cryptographic Module Validation Program (CMVP).  Luckily, they're available for RedHat/CentOS/Fedora, and can be installed through yum.

sudo yum install nss-pkcs11-devel
 Next, you need to configure your JRE to add the provider.  You do this by editing ${jre.home}/lib/security/java.security and adding a reference to the SunPKCS11 provider.

On my Fedora 19 box, I have both the OpenJDK and SunJDK installed.  Here are the locations of their JREs on my box.

OpenJDK:
cd /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.3.0.fc19.x86_64/jre/lib/security
sudo vim java.security
SunJDK:
cd /usr/java/jdk1.7.0_15/jre/lib/security
sudo vim java.security
Be careful that you don't update one and then run your app on the other.  I just configured both and now I can run my apps on either.

Anyway, in the picture below, you'll notice that I've added:
security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

In the same directory, edit (or create if it isn't there) your nss.cfg:
sudo vim nss.cfg
The only change I had to make to this file was to set 'nssLibraryDirectory' to /usr/lib64, which is where your libnss3.so library was installed when you ran 'yum install' earlier.

Now, you may use the SunPKCS11-NSS provider in your Java applications, which is FIPS-compliant.  Here's a tiny app that creates a java.security.Signature for creating digital signatures.  It is configured to use the SHA256withRSA algorithm via the SunPKCS11-NSS provider.
 This program just loads the Signature instance - it doesn't do anything with it.  If the program runs without printing a stack trace, then you've successfully configured Java with a FIPS-compliant provider.

You can compile and run your program thus:



Comments

  1. UnknownFebruary 24, 2014 at 4:16 AM

    Hi John, Its very helpful! May I know if you can share how to enable Tomcact 7 FIPS compliant?

    ReplyDelete
  2. John RuizFebruary 24, 2014 at 9:30 AM

    I'm sorry, I don't know how you might do that.

    ReplyDelete
  3. UnknownMarch 18, 2014 at 7:15 AM

    Hi John, I tried the above but still getting an error java.security.NoSuchProviderException: no such provider: .SunPKCS11-NSS. Any help on what could be the issue. I am doing this on CentOS 6.4.

    Thanks

    ReplyDelete
    Replies
    1. UnknownMarch 18, 2014 at 7:18 AM

      Pls ignore the provider name as configured wrongly. It is working.

      Thanks,

      Delete
  4. Piranthans..December 5, 2014 at 2:02 AM

    Thank you for sharing. Appreciate you for sharing the configuration example. It made my day.

    ReplyDelete
  5. UnknownJune 15, 2016 at 2:23 PM

    Hello,
    I don't think it's considered strictly fips compliant unless NSS is configured as such (either by setting "nssModule = fips" in the config file, or if secmod.db is set to be compliant, which will enable NSS fips compliance by default).

    ReplyDelete
  6. AnonymousOctober 25, 2016 at 8:43 PM

    Right Viviek, Above configuration is not at all FIPS compliant. The above configuration is just configuring cryptography provider as NSS. That's All.

    Please see http://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#NSS.

    ReplyDelete
  7. pgslot-gamesJanuary 24, 2022 at 2:24 AM


    pg slot เว็บตรง

    ReplyDelete

Post a Comment

Popular posts from this blog

Establishing a SSL connection to RabbitMQ using the .NET client

Image
First, I'm making the assumption that you've read, re-read, and followed the SSL tutorial on rabbitmq's website .  If you haven't done everything that it's instructed you to do (including adding your certificates to the Windows Certificate Store using certmgr), none of this code is going to work for you.  If you have, this code should "Just Work™". Here's the complete code file that works for me.  You will (obviously) need to change the names of the servers, and the thumbprint of your certificate. Note that this code only uses your client and server's certificates to establish a secure connection.  You are still logging in as guest.  I will show you how to use your client certificate to authenticate yourself below. using System; using System.Linq; using System.Security.Cryptography.X509Certificates; using System.Text; using RabbitMQ.Client; using RabbitMQ.Util; namespace RabbitSslTest {     class Program     {         static void Main(string[
Read more

Join CentOS to a Windows Domain

Image
3/26/2012 update: I've now done this on CentOS 6.2 as well. Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it. Here's some specifics on what I'm using: Windows Server 2008 R2 As dc1.devexample.com (192.168.0.201) As Primary Domain Controller of devexample.com As Windows Server 2008 R2 forest functional level CentOS 5 / CentOS 6 As app01.devexample.com (192.168.0.203) Samba 3.5.6 / Samba 3.6.3 An internet connection. If you are not going to have an internet connection, you'll want to pre-download the files you'll need. I suggest using 'yum downloadonly' to get them. I've spun up a brand new CentOS 5.5 VM and logged in. Oh man, does anyone else just love logging into a fresh install? Is my nerd showing? Sorry! The first thing I need to do is take on great responsibility, so for that I'm going to need great power: let's add my account to the su
Read more

Invalid provider type specified when accessing X509Certificate2.PrivateKey

Today, I was attempting to digitally sign a byte array with my private key so that I could produce an event on the event bus and a consumer could ensure that the message came from me and was not modified while in transit. public byte[] SignData(byte[] data) {   X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);   certStore.Open(OpenFlags.ReadOnly);   // the DN I get is CN=name,CN=Users,DC=example,DC=com   // but the DN on the cert has spaces after each comma   string spacedDN = UserPrincipal.Current.DistinguishedName.Replace(",", ", ");   X509Certificate2 cert = certStore.Certificates     .Find(       X509FindType.FindBySubjectDistinguishedName,       spacedDN,       true)     .OfType<X509Certificate2>()     .FirstOrDefault();   if (null == cert) { // handle no cert }   RSACryptoServiceProvider rsaProvider = cert.PrivateKey as RSACryptoServiceProvider;   return rsaProvider.SignData(data, n
Read more