BouncyCastle FIPS Configuration Challenges

BouncyCastle FIPS Certified Cryptography routines can be used with MFT when using Oracle Java, OpenJDK, and IBM Java. The BC FIPS jar has been designed and implemented to meet FIPS 140-2 Level 1 requirements.

Enabling FIPS mode is complex and time consuming. It requires a great deal of planning and testing before being used in a production environment. FIPS mode affects the following MFT components:
  • Accessing the MFT Server through HTTPS
    • Internet Server Transfers
    • Internet Server and Command Center admin pages
  • AS2 Client and Server
    • AS2 System Keys
  • Key authentication for incoming requests
    • HTTPS
    • Platform Server
    • SSH
    • FTPS
  • Key authentication for outgoing requests
    • HTTPS
    • Platform Server
    • SSH
    • FTPS
  • Connecting to partner servers
    • HTTPS
    • Platform Server
    • SSH
    • FTPS
  • PGP processing
    • Encrypting and decrypting data
    • Signing data and verifying signatures

One thing that makes it difficult to implement FIPS is that you may not have control over all of the keys that are used in your system. If a customer is using a PGP private key that is not FIPS compliant (that is, an El Gamal Key), the customer must change to a key that fully supports FIPS; otherwise transfers will fail when FIPS mode is enabled. Likewise, if you connect to a partner's SSH Server that uses a 1024-bit key, connections to the server will fail when running in FIPS mode.

So you must make local changes to support FIPS mode and your transfer partners must also make changes to support FIPS mode. This must be done before enabling FIPS mode.