52 lines
2.5 KiB
Text
52 lines
2.5 KiB
Text
|
# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file,
|
||
|
# are inherited from the default java.security file bundled within the Java distribution.
|
||
|
#
|
||
|
# NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default)
|
||
|
# and the non-fips based (EG. when running the tests on GH actions)
|
||
|
|
||
|
#
|
||
|
# List of providers and their preference orders (see above). Used on the host without FIPS (EG. when running the tests on GH actions)
|
||
|
# Uses only BouncyCastle FIPS providers to make sure to use only FIPS compliant cryptography.
|
||
|
#
|
||
|
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
|
||
|
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
|
||
|
security.provider.3=
|
||
|
|
||
|
#
|
||
|
# Security providers used when global crypto-policies are set to FIPS (Usually it is used when FIPS enabled on system/JVM level)
|
||
|
#
|
||
|
fips.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
|
||
|
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
|
||
|
fips.provider.3=
|
||
|
|
||
|
# Commented this provider for now (and also other providers) as it uses lots of non-FIPS services.
|
||
|
# See https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#ref_openjdk-default-fips-configuration_openjdk
|
||
|
# fips.provider.2=SUN
|
||
|
|
||
|
#
|
||
|
# Default keystore type.
|
||
|
#
|
||
|
keystore.type=PKCS12
|
||
|
fips.keystore.type=PKCS12
|
||
|
|
||
|
# This is needed especially if we cannot add security provider "com.sun.net.ssl.internal.ssl.Provider BCFIPS" as a security provider.
|
||
|
# OpenJDK has "SunX509" as default algorithm, but that one is not supported by BCJSSE. So adding the Sun provider delegating to BCFIPS is needed (as above)
|
||
|
# or changing default algorithm as described here
|
||
|
ssl.KeyManagerFactory.algorithm=PKIX
|
||
|
fips.ssl.KeyManagerFactory.algorithm=PKIX
|
||
|
|
||
|
ssl.TrustManagerFactory.algorithm=PKIX
|
||
|
fips.ssl.TrustManagerFactory.algorithm=PKIX
|
||
|
|
||
|
#
|
||
|
# Controls compatibility mode for JKS and PKCS12 keystore types.
|
||
|
#
|
||
|
# When set to 'true', both JKS and PKCS12 keystore types support loading
|
||
|
# keystore files in either JKS or PKCS12 format. When set to 'false' the
|
||
|
# JKS keystore type supports loading only JKS keystore files and the PKCS12
|
||
|
# keystore type supports loading only PKCS12 keystore files.
|
||
|
#
|
||
|
# This is set to false as BCFIPS providers don't support JKS
|
||
|
keystore.type.compat=false
|
||
|
fips.keystore.type.compat=false
|