Chapter 2. Configure OpenJDK 17 in FIPS mode

Red Hat build of OpenJDK 21 checks if the FIPS mode is enabled in the system at startup. If yes, it self-configures FIPS according to the global policy. This is the default behavior since RHEL 8.3. Previous RHEL 8 releases require the com.redhat.fips system property set to true as a JVM argument. For example, -Dcom.redhat.fips=true.

Note

If FIPS mode is enabled in the system while a JVM instance is running, the instance needs to be restarted for changes to take effect.

You can configure Red Hat build of OpenJDK 21 to bypass the global FIPS alignment. For example, you might want to enable FIPS compliance through a Hardware Security Module (HSM) instead of the scheme provided by Red Hat build of OpenJDK.

Following are the FIPS properties for Red Hat build of OpenJDK 21:

  • security.useSystemPropertiesFile

    • Security property located at $JAVA_HOME/conf/security/java.security or in the file directed to java.security.properties.
    • Privileged access is required to modify the value in the default java.security file.
    • Persistent configuration.
    • When set to false, both the global FIPS and the crypto-policies alignment are disabled. By default, it is set to true.
  • java.security.disableSystemPropertiesFile

    • System property passed to the JVM as an argument. For example, -Djava.security.disableSystemPropertiesFile=true.
    • Non-privileged access is enough.
    • Non-persistent configuration.
    • When set to true, both the global FIPS and the crypto-policies alignment are disabled; generating the same effect than a security.useSystemPropertiesFile=false security property. If both properties are set to different behaviors, java.security.disableSystemPropertiesFile overrides. By default, it is set to false.
  • com.redhat.fips

    • System property passed to a JVM as an argument. For example, -Dcom.redhat.fips=false.
    • Non-privileged access is enough.
    • Non-persistent configuration.
    • When set to false, disables the FIPS alignment while still applying the global crypto-policies. If any of the previous properties is set to disable the crypto-policies alignment, this property has no effect. In other words, crypto-policies is a prerequisite for FIPS alignment. By default, it is set to true.

Additional resources