How to disable FIPS for java when FIPS is enabled on RHEL 8?

Solution Verified - Updated -

Issue

  • As FIPS is enabled for RHEL 8, it is also enabled for Java by default. Is there a solution to disable FIPS specifically for Java? It was tried to set security.useSystemPropertiesFile=false to <java.home>/jre/lib/security/java.security, but the keytool fails with following error:
$ keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Random Company, ou=Random Company, o=Random Company, c=US"  -keypass someCrazyPassword$ -storepass 123456$ -keystore my.keystore
keytool error: java.security.KeyStoreException: PKCS12 not found
java.security.KeyStoreException: PKCS12 not found
        at java.security.KeyStore.getInstance(KeyStore.java:851)
        at sun.security.tools.keytool.Main.doCommands(Main.java:800)
        at sun.security.tools.keytool.Main.run(Main.java:370)
        at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.security.NoSuchAlgorithmException: PKCS12 KeyStore not available
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
        at java.security.Security.getImpl(Security.java:710)
        at java.security.KeyStore.getInstance(KeyStore.java:848)
        ... 3 more
  • On FIPS enabled RHEL 8.3 server, after update to OpenJDK 8u275, the application started failing and showing Java trace that includes:
Caused by: java.security.ProviderException: NSS module not available: fips
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:283)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

Environment

  • Red Hat Enterprise Linux (RHEL) 8.3
  • OpenJDK
    • 8u275
    • 11.0.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In