Enable the Bouncy Castle FIPS libraries with the ForgeRock platform

Problem

ForgeRock customers who need to meet FIPS 140-2 compliance must use a FIPS 140-2 certified cryptographic module. NIST states these modules may be implemented in hardware, software, or a combination of the two. ForgeRock has documented how to use a FIPS 140-2 certified cryptographic module connected to an HSM via a PKCS#11 interface with the ForgeRock products. However, HSMs come with some significant financial and performance costs which customers may wish to avoid. Customers may wish to explore using a software cryptographic module instead of an HSM. This article will describe how the Bouncy Castle FIPS libraries can be integrated with JDK 11 in a ForgeRock platform deployment using AM running on Tomcat and DS, and we will identify some of the current limitations.

Bouncy Castle FIPS

The Java Bouncy Castle libraries have been certified as FIPS 140-2 compliant, and they are in the process of being validated for FIPS 140-3 as of September 2022. More information about the Bouncy Castle Java FIPS Resources can be found at bouncycastle.org. The ForgeRock product dependencies are found within the JCA-JCE Provider, named bc-fips, the TLS implementation, bctls-fips, and the PKIX implementation, bcpkix-fips. The provider’s name is BCFIPS.

BCFIPS has two modes of operation. By default, it runs in ‘non-approved’ mode meaning it allows cryptography which is both approved and not approved for FIPS 140-2 operations. With the addition of a Java option, -Dorg.bouncycastle.fips.approved_only=true, the BCFIPS provider limits cryptographic operations to only those approved for FIPS 140-2 operations. The ForgeRock applications include algorithms which are both approved and not approved. Most, if not all, of these algorithms can be configured to use an approved algorithm. However, at this time, it is the customer’s responsibility to ensure they have configured an approved algorithm as the ForgeRock products are not configured to limit this for themselves yet. As this configuration is the same as is required for HSM use, we will rely on the current product documentation rather than discussing it further here.

Four keystores are supported by BCFIPS: PKCS#12, BCFKS, JKS, and FIPS. PKCS#12 is not available in approved mode. BCFKS is available in approved mode and capable of storing certificates as well as some secret types. FIPS can read both BCFKS and JKS keystores, however, The FIPS keystore type will read both BCFKS files and JKS files with one caveat, it will not accept a JKS file containing a secret/private key. The JKS keystore must be enabled explicitly by setting the system property -Dorg.bouncycastle.jca.enable_jks=true. The JKS KeyStore type will only support files which contain certificates only, like the FIPS keystore.

Solution

Steps to enable BCFIPS with ForgeRock products

Three high-level changes must be made to a ForgeRock product deployment to enable it to run in FIPS approved mode using the Bouncy Castle FIPS libraries:

  1. the JVM providers must include the BCFIPS libraries
  2. keystores available in approved mode must be configured
  3. algorithms available in approved mode must be configured.

As the algorithm changes are covered in standard documentation, this article will describe only the JVM changes and keystore changes required for each product.

JVM configuration

Enable non-approved mode

NOTE: non-approved mode is required to enable use of the BCFIPS keystores and algorithms while transitioning your application to configuration which is available in approved mode.

  1. Download FIPS Provider, TLS, and PKIX jar files from BouncyCastle website to your chosen download location. This example uses ~/Downloads.
  2. Run jlink from your current JDK to create a new version with the BCFIPS modules included:
/path/to/jvm/bin/jlink --no-header-files \
--no-man-pages \
--compress=2 \
--module-path ~/Downloads \
--add-modules java.se,jdk.unsupported,org.bouncycastle.fips.core,org.bouncycastle.fips.tls \
--output /tmp/bcjava \
--ignore-signing-information
  1. Edit this new JDK’s java.security file. For example: /tmp/bcjava/conf/security/java.security
    • Add the Bouncy Castle FIPS security providers as the first two providers. Edit the numbers of the original providers in numerical sequence. NOTE: The Bouncy Castle providers do require the SUN provider, so leave this provider configured even if you remove other providers from the list.
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider BCFIPS
security.provider.3=SUN
security.provider.4=SunJCE
(default provider list continues)
  • Configure the SSL KeyManagerFactory algorithm to use PKIX which is supported by the bcpkix-fips library.
    ssl.KeyManagerFactory.algorithm=PKIX
  1. Add the system property -Dorg.bouncycastle.rsa.allow_multi_use=true to Java Options to enable the use of RSA algorithms

    • For DS, this is configured in /path/to/opendj/config/java.properties as default-java-opts
    • For AM running on Tomcat, this is configured in /path/to/tomcat/bin/setenv.sh as CATALINA_OPTS
  2. Edit the JAVA_HOME variables for the system and each application

    • This step causes the application to use the BCFIPS enabled JVM rather than the default installed JVM
    • If the application fails using the BCFIPS enabled JVM, you easily can point the JAVA_HOME variable for the application back to the default installed JVM and solve what went wrong
    • At the system level, export the JAVA_HOME variable as appropriate for your OS and/or company’s best practices
    • The transition steps below document how to set this variable for each ForgeRock application

Working with BCFKS keystores

You may find it helpful to set your system $JAVA_HOME to the BCFIPS path to ensure any keytool commands you execute are enabled to use the BCFIPS provider. If you use the keytool command from the default JVM, you will need to add the following parameters when configuring bcfks keystores:

-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

Define default random number generator

BCFIPS default random number generator may not perform as desired or provide adequate random number generation. Note: In order to make the default DRBG suitable for key generation, the default DRBG is configured to be prediction resistant and this can strain the JVMs entropy source especially if hardware RNG is not available. See section 2.3 Provider configuration from the BC-FJA-UserGuide-1.0.2 for more information on how to define an appropriate generator for your requirements.

In the java.security security provider list, for example, this would look like:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};

Enable FIPS approved mode

NOTE: approved mode requires all steps for enabling non-approved mode in addition to the following step.

  1. After all keystores and algorithms have been configured to those supported by BCFIPS approved mode, set this property in the Java Options: -Dorg.bouncycastle.fips.approved_only=true

    • This option enables ‘approved’ mode within the BCFIPS provider which will limit the modules to only allow approved algorithms. By default this attribute is false.
    • If you observe errors after enabling this option, identify which component of your deployment is throwing the errors and consider whether the keystores or algorithms are configured to those supported by the BCFIPS libraries and modify their configuration as needed.

DS transition

  1. Configure your JVM following the non-approved mode steps above

  2. Configure /path/to/opendj/config/java.properties > default.java-home to reference to the Bouncy Castle FIPS JAVA_HOME. For example default.java-home=/tmp/bcjava

  3. Perform basic DS setup using appropriate profiles for your use.

    • You may find it helpful to skip the -start option and perform the following steps in ‘–offline’ mode
  4. Convert DS keystore to BCFKS as this is most ideal in BCFIPS approved mode

    • The dskeymgr command did not support BCFKS at the time of publishing, so it may be necessary to use keytool to manage all keys and secrets.

keytool -importkeystore -srckeystore <path to source key trust store file> -srcstoretype <PKCS12 JKS Or source key store's type> -deststoretype BCFKS -destkeystore <path to the destination key trust store file> -srcstorepass <source key trust store password> -destkeypass <destination key trust store key password of the imported private keys> -deststorepass <destination key trust store password> -providerpath /path/to/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

  • Alias ca-cert does not import to BCFKS because it is not password protected. The ‘keytool -export -rfc’ command may be used instead.
keytool -export -alias ca-cert -keystore \
/opt/opendj/config/keystore -storepass:file \
/opt/opendj/config/keystore.pin -storetype PKCS12 \
-rfc -file ca-cert.crt
keytool -import -trustcacerts \
-alias ca-cert \
-file ca-cert.crt \
-keystore /opt/opendj/config/keystore \
-storepass:file \
/opt/opendj/config/keystore.pin \
-storetype PKCS12
  • Compare keystore content between PKCS12 and BCFKS keystores
keytool -list -alias ca-cert -v -keystore /opt/opendj/config/keystore -storepass:file /opt/opendj/config/keystore.pin -storetype PKCS12

NOTE: Some of the v3 extensions do not appear in output when using keytool -list with the BCFKS provider.

keytool -list -alias ca-cert -v -keystore /opt/opendj/config/keystore.bcfks -storepass:file /opt/opendj/config/keystore.pin.bcfks -storetype BCFKS -providerpath /path/to/downloads/bc-fips-1.0.2.3.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
  1. Configure DS /path/to/opendj/config/java.properties > default.java-home to point to the Bouncy Castle FIPS JAVA_HOME

  2. Stop DS (if started) before continuing

  3. Configure DS Providers to use BCFKS keystore

  4. Key Manager Provider

  • Add BCFIPS Provider using BCFKS keystore
  • Enable BCFIPS Provider
dsconfig create-key-manager-provider \
--set enabled:true \
--set key-store-file:config/keystore.bcfks \
--set key-store-pin:\&{file:config/keystore.pin.bcfks} \
--set key-store-type:BCFKS \
--type file-based \
--provider-name BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Trust Manager Provider

    • Add BCFIPS Provider using BCFKS keystore
    • Enable BCFIPS Provider
dsconfig create-trust-manager-provider \
--set enabled:true \
--set trust-store-file:config/keystore.bcfks \
--set trust-store-pin:\&{file:config/keystore.pin.bcfks} \
--set trust-store-type:BCFKS \
--type file-based \
--provider-name BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Crypto Manager
  • Set key-manager-provider → BCFIPS
dsconfig set-crypto-manager-prop \
--set key-manager-provider:BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Connection Handlers (ALL)
  • Set key-manager-provider → BCFIPS
  • Set trust-manager-provider → BCFIPS
dsconfig set-connection-handler-prop \
--handler-name LDAP \
--set key-manager-provider:BCFIPS \
--set trust-manager-provider:BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
dsconfig set-connection-handler-prop \
--handler-name LDAPS \
--set key-manager-provider:BCFIPS \
--set trust-manager-provider:BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
dsconfig set-connection-handler-prop \
--handler-name HTTPS \
--set key-manager-provider:BCFIPS \
--set trust-manager-provider:BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Syncronization Provider
  • Set key-manager-provider → BCFIPS
  • Set trust-manager-provider → BCFIPS
dsconfig set-synchronization-provider-prop \
--set key-manager-provider:BCFIPS \
--set trust-manager-provider:BCFIPS \
--provider-name Multimaster\ Synchronization \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Administrative Connector
  • Set key-manager-provider → BCFIPS
  • Set trust-manager-provider → BCFIPS
dsconfig set-administration-connector-prop \
--set key-manager-provider:BCFIPS \
--set trust-manager-provider:BCFIPS \
--offline \
--configFile /opt/opendj/config/config.ldif \
--no-prompt
  1. Start DS
  2. Configure approved mode compliant algorithms following existing DS documentation
  3. Enable FIPS approved mode to test
  4. Observe logs and configure in response to errors

Tomcat transition

REMINDER: AM runs in a Java application container server, such as Tomcat. As such, the JVM settings are configured at the Tomcat level rather than within AM itself. Transition Tomcat to BCFIPS enabled JVM first, then proceed to AM transition steps

  1. Follow the non-approved mode instructions above
  2. Install Tomcat
  3. Configure Tomcat to use BCFIPS JVM by setting JAVA_HOME=/tmp/bcjava in /etc/systemd/system - tomcat.service file
  4. Edit the Tomcat setenv.sh file and add the following line:

JDK_JAVA_OPTIONS="--add-exports java.base/sun.security.internal.spec=org.bouncycastle.fips.core"

  1. Import existing keystores containing the TLS cert to a BCFKS keystore.
keytool -importkeystore -srckeystore /path/to/tomcat/config/keystore.p12 \
-srcstoretype (PKCS12, JKS, or source key store's type> \
-deststoretype BCFKS \
-destkeystore /path/to/tomcat/config/keystore.bcfks \
-srcstorepass <source keystore password> \
-srckeypass <destination keystore key password for importing private keys> \
-destkeypass <destination keystore key password of the imported private keys> \
-deststorepass <destination keystore password> \
-providerpath /path/to/downloads/bc-fips-1.0.2.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-alias <existing alias name>
  1. Confirm the existing keystore entry has been imported
keytool -list \
-keystore /path/to/tomcat/config/keystore.bcfks \
-storepass <store password> 
-storetype BCFKS \
-providername BCFIPS \
-providerpath /path/to/bc-fips-1.0.2.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
  1. Edit the tomcat server.xml file:
  • Update the SSL connector to use a BCFIPS compatible keystore and truststore. The compatible storetype is BCFKS.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" xpoweredBy="false">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/opt/fram/conf/tomcat_keystore.bcfks"
certificateKeystorePassword="********************"
certificateKeystoreType="BCFKS"
certificateKeystoreProvider="BCFIPS" />
</SSLHostConfig>
</Connector>
  • Add this to the element to specify BCFIPS as the secure random provider:
<Context path="">
<Manager className="org.apache.catalina.session.StandardManager" secureRandomProvider="BCFIPS" secureRandomAlgorithm="DEFAULT" />
</Context>
  1. (Optional) Edit the Tomcat ‘/path/to/tomcat/bin/setenv.sh’ file and add the following line if you would like to see security debugging output:
JAVA_OPTS="$JAVA_OPTS -Djava.security.debug=all"
  • java.security.debug=all generates a lot of output, so only use this when you intend to be debugging java.
  • Options include jca, jce, ssl, all.

AM transition

NOTE: Wait to install AM until after preparing to use stronger encryption algorithms (Step 5)

  1. Follow the non-approved mode instructions above
  2. Ensure the DS bind account used by AM has a sufficiently long password.
  • Initial tests with a 20 character password returned errors about password with 122 bit size required
  • After setting a 40 character password, these errors stopped
  1. Create an AM truststore

  2. This will result in an JKS truststore, so you will need to ensure you either:

    • Use the FIPS trustStoreType (which can read both FIPS and JKS keystores) by setting the system property -Djavax.net.ssl.trustStoreType=FIPS in your CATALINA_OPTS
    • Explicitly enable the JKS trustStoreType by setting the system property -Dorg.bouncycastle.jca.enable_jks=true in your CATALINA_OPTS
    • (Optional) You might also be able to convert this keystore to BCFKS
  3. Prepare to use stronger encryption algorithms

    • NOTE: this step must be done BEFORE installing AM as no migration of this configuration is posible after AM is installed!
  4. Perform a custom AM install using external FIPS approved mode DS instance(s) for Config, CTS, and UserStore

  5. Follow steps to replace the default AM keystore but use the BCFKS keystore type

  6. Generate secret entries in new BCFKS keystore

  • SecretKey entries are unable to be imported to BCFKS as they are not password protected
  • New Secrets must be created in the BCFKS keystore instead

secret - directenctest (Symmetric Direct AES encryption key)

keytool -genseckey \
-alias directenctest \
-keyalg AES \
-keysize 256 \
-storetype BCFKS \
-keystore /path/to/tomcat/am/security/keystores/am_keystore.bcfks \
-storepass:file /path/to/tomcat/am/security/secrets/default/.storepass.bcfks \
-keypass:file /path/to/tomcat/am/security/secrets/default/.keypass.bcfks \
-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

secret - hmacsigningtest (Symmetric HMAC key)

keytool -genseckey \
-alias hmacsigningtest \
-keyalg HmacSHA256 \
-keysize 256 \
-storetype BCFKS \
-keystore /path/to/tomcat/am/security/keystores/am_keystore.bcfks \
-storepass:file /path/to/tomcat/am/security/secrets/default/.storepass.bcfks \
-keypass:file /path/to/tomcat/am/security/secrets/default/.keypass.bcfks \
-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

secret - selfservicesigntest (Symmetric secret signing key)

keytool -genseckey \
-alias selfservicesigntest \
-keyalg HmacSHA256 \
-keysize 256 \
-storetype BCFKS \
-keystore /path/to/tomcat/am/security/keystores/am_keystore.bcfks \
-storepass:file /path/to/tomcat/am/security/secrets/default/.storepass.bcfks \
-keypass:file /path/to/tomcat/am/security/secrets/default/.keypass.bcfks \
-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
  1. List keystore afterward to confirm secrets created
keytool -list -v \
-keystore /path/to/tomcat/am/security/keystores/am_keystore.bcfks \
-storepass:file /path/to/tomcat/am/security/secrets/default/.storepass.bcfks \
-keypass:file /path/to/tomcat/am/security/secrets/default/.keypass.bcfks \
-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
  1. Import certificate aliases from the default JCEKS keystore to BCFKS keystore one at a time
keytool -importkeystore \
-srckeystore /opt/tomcat/am/am/security/keystores/keystore.jceks \
-srcstoretype JCEKS \
-destkeystore /opt/tomcat/am/am/security/keystores/am_keystore.bcfks \
-deststoretype BCFKS \
-srckeypass:file /opt/tomcat/am/am/security/secrets/default/.keypass \
-srcstorepass:file /opt/tomcat/am/am/security/secrets/default/.storepass \
-destkeypass:file /opt/tomcat/am/am/security/secrets/default/.keypass.bcfks \
-deststorepass:file /opt/tomcat/am/am/security/secrets/default/.storepass.bcfks \
-providerpath /path/to/downloads/bc-fips-1.0.2.3.jar \
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-alias es256test

(import each PrivateKey entry separately by it’s alias name)

  • es256test
  • es384test
  • es512test
  • rsajwtsigningkey
  • selfserviceenctest
  • test

NOTE: The following secrets will be moved to the new bootstrap keystore by AM after you configure this keystore as the default-keystore. You do not need to attempt to move them yourself.

  • configstorepwd
  • dsameuserpwd

You may want to list the JCEKS and BCFKS keystores at this point to validate all but the configstorepwd and dsameuserpwd (which should only be in the JCEKS keystore at this point) are in both keystores.

  1. Add BCFKS secret store and map secrets in the default-keystore secret store to new BCFKS-keystore secret store
  1. Follow the steps in this article to change the bootstrap keystore

    • Configure the bootstrap keystore settings using the new AM keystore created above (Keystore type - BCFKS) and restart AM while the old keystore is still accessible.
    • The startup process does the following:
    1. uses the original keystore to boot up
    2. writes the password strings in the new keystore
    3. rewrites the boot.json file.
  2. When AM restarts, it should be running in BCFIPS non-approved mode using keystores and secret stores available

  3. (Optional) Delete the default-keystore secret store configuration

NOTE: Only delete the default keystore file AFTER confirming the default keystore configuration has been updated to a new AM keystore (step 8). Consider renaming the default keystore and restarting Tomcat to confirm the migration before deleting the default keystore file.

  1. Configure all algorithms to those available via the BCFIPS provider
  2. Enable approved mode and resolve issues

Limitations

  • As of the publishing of this article IDM is unable to recognize the BCFIPS provider when configured. This is necessary to configure secrets mapped to a BCFKS keystore. Support for additional keystores is expected to be added in a future release.

  • Other software cryptography modules may also be able to follow this same pattern, but only the Bouncy Castle FIPS libraries have been tested at this time.

  • Use of the Bouncy Castle FIPS libraries with the ForgeRock Products has not been tested by ForgeRock and is not officially supported at this time. Please discuss your plans with your Customer Success Outcome Manager or Sales Representative and seriously consider engaging DSS for assistance should you desire to implement these libraries in a Production environment.

Additional references

Known errors

From DS:

  • This error means security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider BCFIPS is not configured.

category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerShutdown, alert ID org.opends.messages.core-141): The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServer and the reason provided for the shutdown was An error occurred while attempting to bootstrap the Directory Server: Other: An error occurred while attempting to initialize the SSL context for use in the LDAP Connection Handler: KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used at SSLContextImpl.java:166 SSLContextImpl.java:82 SSLContext.java:297 SslOptions.java:221 SslUtils.java:145 LDAPConnectionHandler.java:728 LDAPConnectionHandler.java:274 LDAPConnectionHandler.java:438 LDAPConnectionHandler.java:148 ConnectionHandler.java:186 AdministrationConnector.java:84 ConnectionHandlerConfigManager.java:173 ConnectionHandlerConfigManager.java:149 DirectoryServer.java:1628 DirectoryServer.java:1479 StartDs.java:332 StartDs.java:124 DirectoryServer.java:3177

  • This error means the JKS keystore type is not enabled in the JVM. Solution: set the system property -Dorg.bouncycastle.jca.enable_jks=true in Java Options and restart DS.

An error occurred while attempting to bootstrap the Directory Server: Other: An error occurred while trying to create a key manager factory to access the contents of keystore file /opt/opendj/config/keystore: UnrecoverableKeyException: Get Key failed: EC KeyFactory not available at PKCS12KeyStore.java:446 KeyStoreDelegator.java:90 KeyStore.java:1057 SunX509KeyManagerImpl.java:145 KeyManagerFactoryImpl.java:70 KeyManagerFactory.java:271 FileBasedKeyManagerProvider.java:241 FileBasedKeyManagerProvider.java:220 CryptoManager.java:438 CryptoManager.java:399 CryptoManager.java:340 CryptoManager.java:291 DirectoryServer.java:1578 DirectoryServer.java:1420 StartDs.java:332 StartDs.java:124 DirectoryServer.java:3177 / (1) caused by NoSuchAlgorithmException: EC KeyFactory not available at KeyFactory.java:138 KeyFactory.java:183 PKCS12KeyStore.java:404 PKCS12KeyStore.java:276 PKCS12KeyStore.java:381 … 16 more

  • This error indicates the java.security ssl.KeyManagerFactory.algorithm is set to SUNX509 which the BCFIPS providers do not support. PKIX is supported by the bcjsse-fips provider. Solution: Update java.security file property ssl.KeyManagerFactory.algorithm=SUNX509 to ssl.KeyManagerFactory.algorithm=PKIX.

category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerShutdown, alert ID org.opends.messages.core-141): The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServer and the reason provided for the shutdown was An error occurred while attempting to bootstrap the Directory Server: Other: An error occurred while trying to create a key manager factory to access the contents of keystore file /opt/opendj/config/keystore.bcfks: NoSuchAlgorithmException: SunX509 KeyManagerFactory not available at GetInstance.java:159 KeyManagerFactory.java:148 FileBasedKeyManagerProvider.java:240 FileBasedKeyManagerProvider.java:220 CryptoManager.java:438 CryptoManager.java:399 CryptoManager.java:340 CryptoManager.java:291 DirectoryServer.java:1578 DirectoryServer.java:1420 StartDs.java:332 StartDs.java:124 DirectoryServer.java:3177

  • This error means the JAVA_HOME variable is pointed at a JVM without the Bouncy Castle TLS FIPS provider configured as provider 2.

category=EXTENSIONS severity=ERROR msgID=63 msg=The keystore type BCFKS specified in attribute ds-cfg-key-store-type of configuration entry cn=BCFIPS,cn=Key Manager Providers,cn=config is not valid: KeyStoreException: BCFKS not found at KeyStore.java:878 FileBasedKeyManagerProvider.java:383 FileBasedKeyManagerProvider.java:364 FileBasedKeyManagerProvider.java:397 FileBasedKeyManagerProvider.java:174 FileBasedKeyManagerProvider.java:83 KeyManagerProvider.java:154 KeyManagerProviderConfigManager.java:230 KeyManagerProviderConfigManager.java:94 DirectoryServer.java:1572 DirectoryServer.java:1420 StartDs.java:332 StartDs.java:124 DirectoryServer.java:3177 / (1) caused by NoSuchAlgorithmException: BCFKS KeyStore not available at GetInstance.java:159 Security.java:733 KeyStore.java:875 … 13 more

2 Likes