Configuring FIPS (Federal Information Processing Standards) on Jive JVM

Document created by alex.leshchenko on Jun 23, 2020
Version 1Show Document
  • View in full screen mode

For configuring FIPS on Jive JVM, it is needed steps below:


1) First we need to make sure we are using Coretto JVM, Jive release 9.1.0 provides Coretto JVM:

java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment Corretto- (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM Corretto- (build 25.212-b04, mixed mode)


Note: JAVA_HOME is under /usr/local/jive/java


a) Set Java bin execution to /usr/local/jive/java/bin/java

- Check where it is running from:

which java

Note usually we get symbolic "/bin/java"

- Check where its origin

ls -la /bin/java

Note: usually we get "/etc/alternatives/java"

- Remove current Java bin execution

rm /bin/java

- Add new Java bin execution

ln -s /usr/local/jive/java/bin/java /bin/java


b) We needto do the same for Keytool bin execution

- Check where it is running from:

which keytool

Note usually we get symbolic "/usr/bin/keytool"

- Check where its origin

ls -la /usr/bin/keytool

Note usually we get "/etc/alternatives/keytool"

- Remove current Java bin execution

rm /usr/bin/keytool

- Add new Keytool bin execution

ln -s /usr/local/jive/java/bin/keytool /usr/bin/keytool


2) Confirm configuration below java.policy file, at location "/usr/local/jive/java/jre/lib/security/java.policy"

We need to grant the permissions:

Note: Before making changes please backup java.policy


//FIPS and Bouncy castle required permissions
permission java.lang.RuntimePermission "";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

3) Confirm we have configuration below on file, at location "/usr/local/jive/java/jre/lib/security/"

Note: Before making changes please backup


a) We need to comment out all current security providers, and configure Bouncy Castle in the top priority.


# List of providers and their preference orders (see above):

# FIPS mode provided by Bouncy Castle
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider BCFIPS

b) After that we have to evaluate whether the server has a hardware entropy generator or not.
If the server doesn't have it, then we need to change the random seed source to:

Open the $JAVA_HOME/jre/lib/security/ file.
Change the line:








c) PKIX should be used as SSL algorithm:


# Determines the default key and trust manager factory algorithms for
# the package.

d) Change default keystore type to bcfks:


# Default keystore type.


e) TTL value. This change is needed by S3 Storage provider. Amazon changes the server locations quite usually, and the DNS cache ttl default setting prevents this from working, since the default is "cache forever", and it never gets the new addresses. To fix this we follow the ink below:


f) Save changes.


4) Install the Bouncy Castle FIPS provider if they do not exist

Download the files below (or download them from the bouncy castle site), and place them at /usr/local/jive/java/jre/lib/ext/

Note: latest versio of Jive already provides those files.




5) Add JVM parameters for Jive and EAE


a) Jive

jive set webapp.custom_jvm_args ''

b) EAE

jive set eae.custom_jvm_args ''


6) Get SSL Certificate from Azure Postgres: server.crt or if it is accessible, the Postgres secure URL


run command below to obtain certificate:

openssl s_client -showcerts -servername <azure postgres server> -connect <azure postgres server>:<port> </dev/null


Note: replace server and port number accordingly and copy to a PEM file section from "BEGIN CERTIFICATE" and "END CERTIFICATE"



7) Import certificate or PEM file to keystore using new provider (BCFKS).


Before making changes please:
- Execute from JAVA_HOME directory
- Backup certificate files (cacerts)


keytool -importcert -file <path to certificate or pem file> -keystore /usr/local/jive/java/jre/lib/security/cacerts -storetype BCFKS -providername BCFIPS -alias "Jive" -storepass changeit -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath/usr/local/jive/java/jre/lib/ext/bc-fips-1.0.0.jar


8) Restart Jive instance


jive restart