FIPS compliance? (jdk 17)

[guykatz]

Hi all;
for a specific customer I am requested to have FIPS 140-2 compliance.
are there any specifics for using eclipse tumerin under these compliance requirements?
any pointers would be great.
thanks

[tellison]

Hi @guykatz.

It requires some level of knowledge to run an unmodified OpenJDK build (including Eclipse Temurin) in FIPS 140-2 compliant mode. You would need to configure the Java runtime to use a set of FIPS certified algorithms (such as Bouncy Castle, or others); but in general it is a task best suited to the runtime provider. At the moment, Eclipse do not provide a FIPS-enabled runtime out of the box.

You might consider Red Hat OpenJDK 11, or IBM Semeru, or others.

[guykatz]

thanks @tellison
your post helped a lot. I didnt know semeru existed so its another option on my table...
I think my problem will be that of when using a FIPS complient java runtime, I will problably break some parts of my existing app which use non compiant FIPS cyphers, env algorithms, hashing etc.
it is a good practive to simply try to run my app on a fips compliant runtime and just let it fail where there are compatability issues?
I am not aware of a scanner that can tell me if my code is ok or not...

[tellison]

I don't think there is a scanner, so given it is your app it is worth reviewing your usage of the cyphers and algorithms to see if you are specifying anything rather than relying on system negotiations and defaults. Having a good set of tests will indeed help you understand the impact of running in FIPS mode. But, yes, no tools that I know of to check for you.