Configuring FIPS (Federal Information Processing Standards) on Jive JVM

Document created by alex.leshchenko on Jun 23, 2020
Version 1Show Document
  • View in full screen mode

For configuring FIPS on Jive JVM, it is needed steps below:

 

1) First we need to make sure we are using Coretto JVM, Jive release 9.1.0 provides Coretto JVM:

java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment Corretto-8.212.04.2 (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM Corretto-8.212.04.2 (build 25.212-b04, mixed mode)

 

Note: JAVA_HOME is under /usr/local/jive/java

 

a) Set Java bin execution to /usr/local/jive/java/bin/java

- Check where it is running from:

which java

Note usually we get symbolic "/bin/java"

- Check where its origin

ls -la /bin/java

Note: usually we get "/etc/alternatives/java"

- Remove current Java bin execution

rm /bin/java

- Add new Java bin execution

ln -s /usr/local/jive/java/bin/java /bin/java

 

b) We needto do the same for Keytool bin execution

- Check where it is running from:

which keytool

Note usually we get symbolic "/usr/bin/keytool"

- Check where its origin

ls -la /usr/bin/keytool

Note usually we get "/etc/alternatives/keytool"

- Remove current Java bin execution

rm /usr/bin/keytool

- Add new Keytool bin execution

ln -s /usr/local/jive/java/bin/keytool /usr/bin/keytool

 

2) Confirm configuration below java.policy file, at location "/usr/local/jive/java/jre/lib/security/java.policy"


We need to grant the permissions:

Note: Before making changes please backup java.policy

 

//FIPS and Bouncy castle required permissions
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";


3) Confirm we have configuration below on java.security file, at location "/usr/local/jive/java/jre/lib/security/java.security"

Note: Before making changes please backup java.security

 

a) We need to comment out all current security providers, and configure Bouncy Castle in the top priority.

 

#
# List of providers and their preference orders (see above):
#
#security.provider.1=sun.security.provider.Sun
#security.provider.2=sun.security.rsa.SunRsaSign
#security.provider.3=sun.security.ec.SunEC
#security.provider.4=com.sun.net.ssl.internal.ssl.Provider
#security.provider.5=com.sun.crypto.provider.SunJCE
#security.provider.6=sun.security.jgss.SunProvider
#security.provider.7=com.sun.security.sasl.Provider
#security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
#security.provider.9=sun.security.smartcardio.SunPCSC

#
# FIPS mode provided by Bouncy Castle
#
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=sun.security.provider.Sun


b) After that we have to evaluate whether the server has a hardware entropy generator or not.
If the server doesn't have it, then we need to change the random seed source to:

Open the $JAVA_HOME/jre/lib/security/java.security file.
Change the line:

 

securerandom.source=file:/dev/random

 

to:

 

securerandom.source=file:/dev/urandom

 

c) PKIX should be used as SSL algorithm:

 

#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX


d) Change default keystore type to bcfks:

 

#
# Default keystore type.
#
keystore.type=bcfks

 

e) TTL value. This change is needed by S3 Storage provider. Amazon changes the server locations quite usually, and the DNS cache ttl default setting prevents this from working, since the default is "cache forever", and it never gets the new addresses. To fix this we follow the ink below:
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-jvm-ttl.html

 

f) Save changes.

 

4) Install the Bouncy Castle FIPS provider if they do not exist


Download the files below (or download them from the bouncy castle site), and place them at /usr/local/jive/java/jre/lib/ext/

Note: latest versio of Jive already provides those files.

 

wget https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.0.jar
wget https://downloads.bouncycastle.org/fips-java/bcmail-fips-1.0.1.jar
wget https://downloads.bouncycastle.org/fips-java/bcpkix-fips-1.0.1.jar

 

5) Add JVM parameters for Jive and EAE

 

a) Jive

jive set webapp.custom_jvm_args ' -Djavax.net.ssl.trustStoreType=bcfks -Djavax.net.ssl.trustStoreProvider=BCFIPS -Djavax.net.ssl.keyStoreProvider=BCFIPS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit'

b) EAE

jive set eae.custom_jvm_args ' -Djavax.net.ssl.trustStoreType=bcfks -Djavax.net.ssl.trustStoreProvider=BCFIPS -Djavax.net.ssl.keyStoreProvider=BCFIPS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/jive/java/jre/lib/security/cacerts
-Djavax.net.ssl.keyStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit'

 

6) Get SSL Certificate from Azure Postgres: server.crt or if it is accessible, the Postgres secure URL

 

run command below to obtain certificate:

openssl s_client -showcerts -servername <azure postgres server> -connect <azure postgres server>:<port> </dev/null

 

Note: replace server and port number accordingly and copy to a PEM file section from "BEGIN CERTIFICATE" and "END CERTIFICATE"

 

 

7) Import certificate or PEM file to keystore using new provider (BCFKS).

 

Before making changes please:
- Execute from JAVA_HOME directory
- Backup certificate files (cacerts)

 

keytool -importcert -file <path to certificate or pem file> -keystore /usr/local/jive/java/jre/lib/security/cacerts -storetype BCFKS -providername BCFIPS -alias "Jive" -storepass changeit -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath/usr/local/jive/java/jre/lib/ext/bc-fips-1.0.0.jar

 

8) Restart Jive instance

 

jive restart

Attachments

    Outcomes