Our application is running on Oracle Open Source 'jdk1.8.0_151'. In that we are using cryptography libraries for AES-256 encryption and decryption of files. I want to know are these libraries are FIPS 140-2 compliant or not. Can anybody help on this. Whether I need to any changes to make it FIPS 140-2 complaint.
Asked
Active
Viewed 1,200 times
1 Answers
0
I want to know are these libraries are FIPS 140-2 compliant or not.
If you are using an Oracle JDK with the Oracle JCE providers, then your application is not FIPS 140-2 complaint.
(See Which JCE providers are FIPS 140-2 compliant?)
Whether I need to any changes to make it FIPS 140-2 compliant.
To get FIPS 140-2 complaince, you need to obtain and install a 3rd-party JCE provider implementation1 that is FIPS 140-2 compliant, and configure your Oracle JDK or OpenJDK installation or your application's launcher to use that provider.
I found this Oracle page that tells you what needs to be done, assuming that you are using the RSA JCE provider. As the page explains, this can be done by either modifying the JDK's "security.policy" file, or by using -Djava.security.properties=... to supply an alternative policy file. The provider JAR files also need to be added to the classpath.
1 - Vendors for FIPS 140-2 compliant JCE providers include IBM, RSA and BouncyCastle.
Stephen C
- 698,415
- 94
- 811
- 1,216