# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file, # are inherited from the default java.security file bundled within the Java distribution. # # NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default) # and the non-fips based (EG. when running the tests on GH actions) # # List of providers and their preference orders (see above). Used on the host without FIPS (EG. when running the tests on GH actions) # Uses only BouncyCastle FIPS providers to make sure to use only FIPS compliant cryptography. # #security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider #security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS #security.provider.3= # # Security providers used when global crypto-policies are set to FIPS (Usually it is used when FIPS enabled on system/JVM level) # # NOTE: This list of providers is needed to be override just because XMLDSig provider is not yet present on the OpenJDK 17 by default on the RHEL FIPS host on OpenJDK 17.0.3. # However once it is present, there won't be a need to override this and this part can be fully commented/removed. # TODO: Comment/remove this once https://bugzilla.redhat.com/show_bug.cgi?id=1940064 is fixed and OpenJDK 17 updated to corresponding version where XMLDSig is available by default # fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg fips.provider.2=SUN fips.provider.3=SunEC fips.provider.4=SunJSSE fips.provider.5=SunJCE fips.provider.6=SunRsaSign fips.provider.7=XMLDSig # Commented this provider for now (and also other providers) as it uses lots of non-FIPS services. # See https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#ref_openjdk-default-fips-configuration_openjdk # fips.provider.2=SUN # # Default keystore type. # keystore.type=PKCS12 fips.keystore.type=PKCS12 # This is needed especially if we cannot add security provider "com.sun.net.ssl.internal.ssl.Provider BCFIPS" as a security provider. # OpenJDK has "SunX509" as default algorithm, but that one is not supported by BCJSSE. So adding the Sun provider delegating to BCFIPS is needed (as above) # or changing default algorithm as described here ssl.KeyManagerFactory.algorithm=PKIX fips.ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX fips.ssl.TrustManagerFactory.algorithm=PKIX # # Controls compatibility mode for JKS and PKCS12 keystore types. # # When set to 'true', both JKS and PKCS12 keystore types support loading # keystore files in either JKS or PKCS12 format. When set to 'false' the # JKS keystore type supports loading only JKS keystore files and the PKCS12 # keystore type supports loading only PKCS12 keystore files. # # This is set to true as when set to false on OpenJDK 17 and PKCS12 is default keystore type, loading of default truststore (from java cacerts) fails. #keystore.type.compat=false #fips.keystore.type.compat=false