Version 1

    For configuring FIPS on Jive JVM, it is needed steps below:


    1) First we need to make sure we are using Coretto JVM, Jive release 9.1.0 provides Coretto JVM:

    java -version
    openjdk version "1.8.0_212"
    OpenJDK Runtime Environment Corretto- (build 1.8.0_212-b04)
    OpenJDK 64-Bit Server VM Corretto- (build 25.212-b04, mixed mode)


    Note: JAVA_HOME is under /usr/local/jive/java


    a) Set Java bin execution to /usr/local/jive/java/bin/java

    - Check where it is running from:

    which java

    Note usually we get symbolic "/bin/java"

    - Check where its origin

    ls -la /bin/java

    Note: usually we get "/etc/alternatives/java"

    - Remove current Java bin execution

    rm /bin/java

    - Add new Java bin execution

    ln -s /usr/local/jive/java/bin/java /bin/java


    b) We needto do the same for Keytool bin execution

    - Check where it is running from:

    which keytool

    Note usually we get symbolic "/usr/bin/keytool"

    - Check where its origin

    ls -la /usr/bin/keytool

    Note usually we get "/etc/alternatives/keytool"

    - Remove current Java bin execution

    rm /usr/bin/keytool

    - Add new Keytool bin execution

    ln -s /usr/local/jive/java/bin/keytool /usr/bin/keytool


    2) Confirm configuration below java.policy file, at location "/usr/local/jive/java/jre/lib/security/java.policy"

    We need to grant the permissions:

    Note: Before making changes please backup java.policy


    //FIPS and Bouncy castle required permissions
    permission java.lang.RuntimePermission "";
    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

    3) Confirm we have configuration below on file, at location "/usr/local/jive/java/jre/lib/security/"

    Note: Before making changes please backup


    a) We need to comment out all current security providers, and configure Bouncy Castle in the top priority.


    # List of providers and their preference orders (see above):

    # FIPS mode provided by Bouncy Castle
    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider BCFIPS

    b) After that we have to evaluate whether the server has a hardware entropy generator or not.
    If the server doesn't have it, then we need to change the random seed source to:

    Open the $JAVA_HOME/jre/lib/security/ file.
    Change the line:








    c) PKIX should be used as SSL algorithm:


    # Determines the default key and trust manager factory algorithms for
    # the package.

    d) Change default keystore type to bcfks:


    # Default keystore type.


    e) TTL value. This change is needed by S3 Storage provider. Amazon changes the server locations quite usually, and the DNS cache ttl default setting prevents this from working, since the default is "cache forever", and it never gets the new addresses. To fix this we follow the ink below:


    f) Save changes.


    4) Install the Bouncy Castle FIPS provider if they do not exist

    Download the files below (or download them from the bouncy castle site), and place them at /usr/local/jive/java/jre/lib/ext/

    Note: latest versio of Jive already provides those files.




    5) Add JVM parameters for Jive and EAE


    a) Jive

    jive set webapp.custom_jvm_args ''

    b) EAE

    jive set eae.custom_jvm_args ''


    6) Get SSL Certificate from Azure Postgres: server.crt or if it is accessible, the Postgres secure URL


    run command below to obtain certificate:

    openssl s_client -showcerts -servername <azure postgres server> -connect <azure postgres server>:<port> </dev/null


    Note: replace server and port number accordingly and copy to a PEM file section from "BEGIN CERTIFICATE" and "END CERTIFICATE"



    7) Import certificate or PEM file to keystore using new provider (BCFKS).


    Before making changes please:
    - Execute from JAVA_HOME directory
    - Backup certificate files (cacerts)


    keytool -importcert -file <path to certificate or pem file> -keystore /usr/local/jive/java/jre/lib/security/cacerts -storetype BCFKS -providername BCFIPS -alias "Jive" -storepass changeit -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath/usr/local/jive/java/jre/lib/ext/bc-fips-1.0.0.jar


    8) Restart Jive instance


    jive restart