Chapter 2. Configure OpenJDK 8 in FIPS mode
OpenJDK 8 checks if the FIPS mode is enabled in the system at startup. If yes, it self-configures FIPS according to the global policy. This is the default behavior since RHEL 8.3. Previous RHEL 8 releases require the com.redhat.fips
system property set to true
as a JVM argument. For example, -Dcom.redhat.fips=true
.
If FIPS mode is enabled in the system while a JVM instance is running, the instance needs to be restarted for changes to take effect.
For more information on how to enable FIPS mode, see Switching the system to FIPS mode.
You can configure OpenJDK 8 to bypass the global FIPS alignment. For example, you might want to enable FIPS compliance through a Hardware Security Module (HSM) instead of the scheme provided by OpenJDK.
Following are the FIPS properties for OpenJDK 8:
security.useSystemPropertiesFile
-
Security property located at
$JAVA_HOME/lib/security/java.security
or in the file directed tojava.security.properties
. -
Privileged access is required to modify the value in the default
java.security
file. - Persistent configuration.
-
When set to
false
, both the global FIPS and the crypto-policies alignment are disabled. By default, it is set totrue
.
-
Security property located at
java.security.disableSystemPropertiesFile
-
System property passed to the JVM as an argument. For example,
-Djava.security.disableSystemPropertiesFile=true
. - Non-privileged access is enough.
- Non-persistent configuration.
-
When set to
true
, both the global FIPS and the crypto-policies alignment are disabled; generating the same effect than asecurity.useSystemPropertiesFile=false
security property. If both properties are set to different behaviors,java.security.disableSystemPropertiesFile
overrides. By default, it is set tofalse
.
-
System property passed to the JVM as an argument. For example,
com.redhat.fips
-
System property passed to a JVM as an argument. For example,
-Dcom.redhat.fips=false
. - Non-privileged access is enough.
- Non-persistent configuration.
-
When set to
false
, disables the FIPS alignment while still applying the global crypto-policies. If any of the previous properties is set to disable the crypto-policies alignment, this property has no effect. In other words, crypto-policies is a prerequisite for FIPS alignment. By default, it is set totrue
.
-
System property passed to a JVM as an argument. For example,