How to disable FIPS for java when FIPS is enabled on RHEL 8?
Issue
- As FIPS is enabled for RHEL 8, it is also enabled for Java by default. Is there a solution to disable FIPS specifically for Java? It was tried to set
security.useSystemPropertiesFile=false
to<java.home>/jre/lib/security/java.security
, but thekeytool
fails with following error:
$ keytool -genkeypair -v -alias myproject -keyalg RSA -keysize 4096 -storetype PKCS12 -dname "cn=myproject, ou=Devices, ou=Random Company, ou=Random Company, o=Random Company, c=US" -keypass someCrazyPassword$ -storepass 123456$ -keystore my.keystore
keytool error: java.security.KeyStoreException: PKCS12 not found
java.security.KeyStoreException: PKCS12 not found
at java.security.KeyStore.getInstance(KeyStore.java:851)
at sun.security.tools.keytool.Main.doCommands(Main.java:800)
at sun.security.tools.keytool.Main.run(Main.java:370)
at sun.security.tools.keytool.Main.main(Main.java:363)
Caused by: java.security.NoSuchAlgorithmException: PKCS12 KeyStore not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:710)
at java.security.KeyStore.getInstance(KeyStore.java:848)
... 3 more
- On FIPS enabled RHEL 8.3 server, after update to OpenJDK 8u275, the application started failing and showing Java trace that includes:
Caused by: java.security.ProviderException: NSS module not available: fips
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:283)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
- When starting Java application in RHEL 8.2 with openjdk-1.8.0.272.b10 following exception is observed:
Caused by: java.security.NoSuchAlgorithmException: TLS SSLContext not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
Environment
- Red Hat Enterprise Linux (RHEL) 8.3+
- OpenJDK
- 8u272
- 8u275
- 11u9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.