BouncyCastle FIPS 140-2

BouncyCastle FIPS 140-2 supports both IBM Java and Oracle Java. The BouncyCastle FIPS files are distributed with MFT.

When using IBM Java, enter N when prompted if you want to use FIPS mode. Follow the instructions defined in Configuring BouncyCastle FIPS 140-2 to enable or disable BouncyCastle FIPS mode.

Note: BouncyCastle FIPS cannot be used when IBM FIPS is enabled.

BouncyCastle FIPS140-2 is more restrictive than IBM Java when running in FIPS mode. Below are some of the restrictions when using BouncyCastle FIPS:

  • System key sizes less than 2048 bits are not supported.
  • When generating system keys, only 2048-bit and 3072-bit keys are supported in FIPS mode.
  • PKCS12 is not supported in FIPS mode. JKS and BCFKS are supported but the Tomcat keystore must be in BCFKS format.
  • The following PGP protocols are not supported:
    • El Gamal, CAST5, MD2, MD5, RipeMD
  • Many SSL Ciphers are not supported when running in BouncyCastle FIPS mode. When running in BouncyCastle FIPS 140 mode, the list of SSL ciphers that are supported is displayed in the catalina.out file.
Note: Because the MFT fips script updates the java.security file, it is important that MFT is the only application that uses this Java installation. If necessary, we suggest installing a Java version that only MFT uses. To run TIBCO MFT Command Center and TIBCO MFT Internet Server in different modes of FIPS, separate JAVA is required for each one.