FIPS 140–3 compliance
To achieve FIPS 140–3 compliance, configure the Bouncy Castle FIPS libraries with DS. This enables the use of the Bouncy Castle FIPS keystore and security provider in FIPS-approved mode.
Bouncy Castle FIPS is useful when dealing with government data, where meeting the FIPS 140–3 security requirements is necessary for regulatory compliance. Bouncy Castle FIPS doesn’t require use of an HSM through a PKCS#11 interface.
|
Bouncy Castle FIPS is less performant than other keystores. The destroyable keys can’t be cached and must be read from the keystore with every use. |
To configure DS to use Bouncy Castle FIPS:
Download the Bouncy Castle libraries
Before you begin, download the Bouncy Castle FIPS libraries:
| File | Description | Tested version |
|---|---|---|
|
Bouncy Castle FIPS security provider implementation |
|
|
Certificate generation support |
|
|
TLS support |
|
|
ASN.1 Utility Classes |
|
Set up DS
Set up but don’t start DS before you enable the Bouncy Castle FIPS provider in the JVM.
-
Set up DS for your use case and omit the
--startoption.The following example command uses the evaluation setup profile but doesn’t start the server:
$ ./opendj/setup \ --serverId evaluation-only \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --rootUserDN uid=admin \ --rootUserPassword StrongPassword \ --monitorUserPassword StrongPassword \ --hostname localhost \ --adminConnectorPort 4444 \ --ldapPort 1389 \ --enableStartTls \ --ldapsPort 1636 \ --httpsPort 8443 \ --replicationPort 8989 \ --bootstrapReplicationServer localhost:8989 \ --profile ds-evaluation \ --acceptLicenseAs in the example command, make sure passwords used to connect are at least 14 characters (14 bytes) long. If the passwords are too short, commands display the following error message:
Other: password must be at least 112 bits
This example uses deployment ID-based PKI. For most FIPS-compliant deployments, use your own cryptographic keys.
-
Copy the Bouncy Castle libraries you downloaded to the DS
extlibfolder:$ ~/Downloads/bc*jar opendj/extlib/ -
Create a Bouncy Castle FIPS format keystore from the DS default keystore:
$ keytool \ -importkeystore \ -srckeystore opendj/config/keystore \ -srcstoretype PKCS12 \ -srcstorepass:file opendj/config/keystore.pin \ -destkeystore opendj/config/keystore.bcfks \ -deststoretype BCFKS \ -deststorepass:file opendj/config/keystore.pin \ -providerpath opendj/extlib/bc-fips-2.0.0.jar \ -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -nopromptThe new keystore holds the same keys created at setup time.
-
(Optional) Perform other offline configuration required before starting DS.
This step depends on the deployment. For the evaluation profile, there’s nothing to do.
Configure DS to use Bouncy Castle FIPS support
Before you start DS, configure the server offline to use the Bouncy Castle FIPS format keystore.
Create key providers
Create key providers for the Bouncy Castle FIPS format keystore.
-
Create a key manager provider:
$ ./opendj/bin/dsconfig \ create-key-manager-provider \ --provider-name BCFIPS \ --type file-based \ --set enabled:true \ --set key-store-file:/path/to/opendj/config/keystore.bcfks \ --set "key-store-pin:&{file:config/keystore.pin}" \ --set key-store-type:BCFKS \ --offline \ --no-promptHere, /path/to/opendj is the path to the folder where you installed DS.
-
Create a trust manager provider:
$ ./opendj/bin/dsconfig \ create-trust-manager-provider \ --provider-name BCFIPS \ --type file-based \ --set enabled:true \ --set trust-store-file:/path/to/opendj/config/keystore.bcfks \ --set "trust-store-pin:&{file:config/keystore.pin}" \ --set trust-store-type:BCFKS \ --offline \ --no-promptHere, /path/to/opendj is the path to the folder where you installed DS.
Use the new key providers
-
Update the DS crypto manager:
$ ./opendj/bin/dsconfig \ set-crypto-manager-prop \ --set key-manager-provider:BCFIPS \ --set key-wrapping-mode:wrap \ --offline \ --no-prompt -
Update DS connection handlers to use the new key providers.
The following commands correspond to the connection handlers created by the example
setupcommand in Set up DS. If DS uses other connection handlers in your deployment, update them as well.-
Update the LDAP connection handler:
$ ./opendj/bin/dsconfig \ set-connection-handler-prop \ --handler-name LDAP \ --set key-manager-provider:BCFIPS \ --set trust-manager-provider:BCFIPS \ --offline \ --no-prompt -
Update the LDAPS connection handler:
$ ./opendj/bin/dsconfig \ set-connection-handler-prop \ --handler-name LDAPS \ --set key-manager-provider:BCFIPS \ --set trust-manager-provider:BCFIPS \ --offline \ --no-prompt -
Update the HTTPS connection handler:
$ ./opendj/bin/dsconfig \ set-connection-handler-prop \ --handler-name HTTPS \ --set key-manager-provider:BCFIPS \ --set trust-manager-provider:BCFIPS \ --offline \ --no-prompt
-
-
Update the administration connector to use the new key providers:
$ ./opendj/bin/dsconfig \ set-administration-connector-prop \ --set key-manager-provider:BCFIPS \ --set trust-manager-provider:BCFIPS \ --offline \ --no-prompt -
Update the replication provider to use the new key providers:
$ ./opendj/bin/dsconfig \ set-synchronization-provider-prop \ --provider-name "Multimaster Synchronization" \ --set key-manager-provider:BCFIPS \ --set trust-manager-provider:BCFIPS \ --offline \ --no-prompt
Disable the default key providers
The default key providers don’t support FIPS compliance and aren’t used any longer. Disable them:
-
Disable the default key manager provider:
$ ./opendj/bin/dsconfig \ set-key-manager-provider-prop \ --provider-name PKCS12 \ --set enabled:false \ --offline \ --no-prompt -
Disable the default trust manager provider:
$ ./opendj/bin/dsconfig \ set-trust-manager-provider-prop \ --provider-name PKCS12 \ --set enabled:false \ --offline \ --no-prompt
Enable the Bouncy Castle FIPS provider
Before you start DS, update the DS Java settings to use Bouncy Castle FIPS support:
-
Copy
$JAVA_HOME/conf/security/java.securityto theopendj/config/folder. -
Update the
opendj/config/java.securityfile to use the Bouncy Castle FIPS provider:-
Replace the list of security providers with the following:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider # If entropy in the system is too limited to use the default # deterministic random bits generator, try with C:HYBRID;ENABLE{All}; #security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All}; security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider BCFIPS security.provider.3=SUN -
Update the default key manager factory algorithm:
ssl.KeyManagerFactory.algorithm=PKIX
-
-
Update the DS
opendj/config/java.propertiesfile to use the Bouncy Castle FIPS provider.Add the following flags to all tools settings. Put all the flags on the same line each time. The following example shows one flag per line for readability:
-Dorg.bouncycastle.rsa.allow_multi_use=true -Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties==/path/to/opendj/config/java.securityHere, /path/to/opendj is the path to the folder where you installed DS.
Start DS
-
Start DS:
$ ./opendj/bin/start-dsWhen DS finishes starting up, it displays a message containing:
The Directory Server has started successfully
-
Verify you can run administrative tools, such as the
statuscommand:$ ./opendj/bin/status \ --bindDn uid=admin \ --bindPassword StrongPassword \ --hostname localhost \ --port 4444As you haven’t specified a truststore, the command prompts you to trust the server certificate.
On success, the
statuscommand displays output about the DS server.
|
When running DS with Bouncy Castle FIPS, use the Java The For most FIPS-compliant deployments, use your own cryptographic keys. |