Version 1

    For configuring FIPS on Jive JVM, it is needed steps below:

     

    1) First we need to make sure we are using Coretto JVM, Jive release 9.1.0 provides Coretto JVM:

    java -version
    openjdk version "1.8.0_212"
    OpenJDK Runtime Environment Corretto-8.212.04.2 (build 1.8.0_212-b04)
    OpenJDK 64-Bit Server VM Corretto-8.212.04.2 (build 25.212-b04, mixed mode)

     

    Note: JAVA_HOME is under /usr/local/jive/java

     

    a) Set Java bin execution to /usr/local/jive/java/bin/java

    - Check where it is running from:

    which java

    Note usually we get symbolic "/bin/java"

    - Check where its origin

    ls -la /bin/java

    Note: usually we get "/etc/alternatives/java"

    - Remove current Java bin execution

    rm /bin/java

    - Add new Java bin execution

    ln -s /usr/local/jive/java/bin/java /bin/java

     

    b) We needto do the same for Keytool bin execution

    - Check where it is running from:

    which keytool

    Note usually we get symbolic "/usr/bin/keytool"

    - Check where its origin

    ls -la /usr/bin/keytool

    Note usually we get "/etc/alternatives/keytool"

    - Remove current Java bin execution

    rm /usr/bin/keytool

    - Add new Keytool bin execution

    ln -s /usr/local/jive/java/bin/keytool /usr/bin/keytool

     

    2) Confirm configuration below java.policy file, at location "/usr/local/jive/java/jre/lib/security/java.policy"


    We need to grant the permissions:

    Note: Before making changes please backup java.policy

     

    //FIPS and Bouncy castle required permissions
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
    permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";


    3) Confirm we have configuration below on java.security file, at location "/usr/local/jive/java/jre/lib/security/java.security"

    Note: Before making changes please backup java.security

     

    a) We need to comment out all current security providers, and configure Bouncy Castle in the top priority.

     

    #
    # List of providers and their preference orders (see above):
    #
    #security.provider.1=sun.security.provider.Sun
    #security.provider.2=sun.security.rsa.SunRsaSign
    #security.provider.3=sun.security.ec.SunEC
    #security.provider.4=com.sun.net.ssl.internal.ssl.Provider
    #security.provider.5=com.sun.crypto.provider.SunJCE
    #security.provider.6=sun.security.jgss.SunProvider
    #security.provider.7=com.sun.security.sasl.Provider
    #security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    #security.provider.9=sun.security.smartcardio.SunPCSC

    #
    # FIPS mode provided by Bouncy Castle
    #
    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
    security.provider.3=sun.security.provider.Sun


    b) After that we have to evaluate whether the server has a hardware entropy generator or not.
    If the server doesn't have it, then we need to change the random seed source to:

    Open the $JAVA_HOME/jre/lib/security/java.security file.
    Change the line:

     

    securerandom.source=file:/dev/random

     

    to:

     

    securerandom.source=file:/dev/urandom

     

    c) PKIX should be used as SSL algorithm:

     

    #
    # Determines the default key and trust manager factory algorithms for
    # the javax.net.ssl package.
    #
    ssl.KeyManagerFactory.algorithm=PKIX
    ssl.TrustManagerFactory.algorithm=PKIX


    d) Change default keystore type to bcfks:

     

    #
    # Default keystore type.
    #
    keystore.type=bcfks

     

    e) TTL value. This change is needed by S3 Storage provider. Amazon changes the server locations quite usually, and the DNS cache ttl default setting prevents this from working, since the default is "cache forever", and it never gets the new addresses. To fix this we follow the ink below:
    https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-jvm-ttl.html

     

    f) Save changes.

     

    4) Install the Bouncy Castle FIPS provider if they do not exist


    Download the files below (or download them from the bouncy castle site), and place them at /usr/local/jive/java/jre/lib/ext/

    Note: latest versio of Jive already provides those files.

     

    wget https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.0.jar
    wget https://downloads.bouncycastle.org/fips-java/bcmail-fips-1.0.1.jar
    wget https://downloads.bouncycastle.org/fips-java/bcpkix-fips-1.0.1.jar

     

    5) Add JVM parameters for Jive and EAE

     

    a) Jive

    jive set webapp.custom_jvm_args ' -Djavax.net.ssl.trustStoreType=bcfks -Djavax.net.ssl.trustStoreProvider=BCFIPS -Djavax.net.ssl.keyStoreProvider=BCFIPS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit'

    b) EAE

    jive set eae.custom_jvm_args ' -Djavax.net.ssl.trustStoreType=bcfks -Djavax.net.ssl.trustStoreProvider=BCFIPS -Djavax.net.ssl.keyStoreProvider=BCFIPS -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/usr/local/jive/java/jre/lib/security/cacerts
    -Djavax.net.ssl.keyStore=/usr/local/jive/java/jre/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit'

     

    6) Get SSL Certificate from Azure Postgres: server.crt or if it is accessible, the Postgres secure URL

     

    run command below to obtain certificate:

    openssl s_client -showcerts -servername <azure postgres server> -connect <azure postgres server>:<port> </dev/null

     

    Note: replace server and port number accordingly and copy to a PEM file section from "BEGIN CERTIFICATE" and "END CERTIFICATE"

     

     

    7) Import certificate or PEM file to keystore using new provider (BCFKS).

     

    Before making changes please:
    - Execute from JAVA_HOME directory
    - Backup certificate files (cacerts)

     

    keytool -importcert -file <path to certificate or pem file> -keystore /usr/local/jive/java/jre/lib/security/cacerts -storetype BCFKS -providername BCFIPS -alias "Jive" -storepass changeit -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath/usr/local/jive/java/jre/lib/ext/bc-fips-1.0.0.jar

     

    8) Restart Jive instance

     

    jive restart