# Configuration file just with the security properties, which are supposed to be overriden. The properties, which are not mentioned in this file, # are inherited from the default java.security file bundled within the Java distribution. # # NOTE: Each property is specified 2 times. This is so the same file can be used on both FIPS based RHEL host (which uses "fips" prefixed properties by default) # and the non-fips based (EG. when running the tests on GH actions) # # List of providers and their preference orders (see above). Used on the host without FIPS (EG. when running the tests on GH actions) # Uses only BouncyCastle FIPS providers to make sure to use only FIPS compliant cryptography. # security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3= # # Security providers used when global crypto-policies are set to FIPS (Usually it is used when FIPS enabled on system/JVM level) # fips.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS fips.provider.3= # Commented this provider for now (and also other providers) as it uses lots of non-FIPS services. # See https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index#ref_openjdk-default-fips-configuration_openjdk # fips.provider.2=SUN # # Default keystore type. # keystore.type=PKCS12 fips.keystore.type=PKCS12 # This is needed especially if we cannot add security provider "com.sun.net.ssl.internal.ssl.Provider BCFIPS" as a security provider. # OpenJDK has "SunX509" as default algorithm, but that one is not supported by BCJSSE. So adding the Sun provider delegating to BCFIPS is needed (as above) # or changing default algorithm as described here ssl.KeyManagerFactory.algorithm=PKIX fips.ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX fips.ssl.TrustManagerFactory.algorithm=PKIX # # Controls compatibility mode for JKS and PKCS12 keystore types. # # When set to 'true', both JKS and PKCS12 keystore types support loading # keystore files in either JKS or PKCS12 format. When set to 'false' the # JKS keystore type supports loading only JKS keystore files and the PKCS12 # keystore type supports loading only PKCS12 keystore files. # # This is set to false as BCFIPS providers don't support JKS keystore.type.compat=false fips.keystore.type.compat=false