|
| 1 | +# Enable FIPS 140-2-compliant mode |
| 2 | + |
| 3 | +The [FIPS 140-2 standard](https://csrc.nist.gov/publications/detail/fips/140/2/final) is a standard created by the National Institute of Standards and Technology’s (NIST’s) Computer Security Division. It defines the requirements for cryptographic modules used to protect sensitive information in computer and telecommunication systems. |
| 4 | +See [FIPS 140-2 compliance reference]({{base_path}}/references/compliance/fips) for more information. |
| 5 | + |
| 6 | +From IS 6.2.0 release onwards, the Identity server supports running in a FIPS 140-2-compliant mode. When setting up in FIPS 140-2-compliant mode, the identity server uses the [Bouncy Castle FIPS Java API](https://www.bouncycastle.org/fips-java/). |
| 7 | + |
| 8 | +FIPS 140-2-compliant mode is turned off by default on the Identity Server. |
| 9 | + |
| 10 | +To enable FIPS 140-2 compliant mode on the Identity Server: |
| 11 | + |
| 12 | +1. Shut down the Identity Server instance if it's running. |
| 13 | +2. Open a terminal, navigate to `<IS_HOME>/bin/` folder, and execute the following one of the following commands: |
| 14 | + |
| 15 | + === "Linux/MacOS" |
| 16 | + ``` |
| 17 | + sh fips.sh |
| 18 | + ``` |
| 19 | + |
| 20 | + === "Windows" |
| 21 | + ``` |
| 22 | + fips.bat run |
| 23 | + ``` |
| 24 | + |
| 25 | + !!! note "Important" |
| 26 | + You should run the `fips.sh` script everytime you take an update of the WSO2 Identity Server. |
| 27 | + |
| 28 | +3. Add the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. |
| 29 | + |
| 30 | + ``` toml |
| 31 | + [jce_provider] |
| 32 | + provider_name = "BCFIPS" |
| 33 | + ``` |
| 34 | + |
| 35 | +4. Restart the WSO2 Identity Server. |
| 36 | + |
| 37 | +!!! info "Disable FIPS 140-2 compliant mode" |
| 38 | + If you need to disable the FIPS 140-2 compliant mode after enabling it: |
| 39 | + |
| 40 | + 1. Shut down the Identity Server instance if it's running. |
| 41 | + 2. Open a terminal, navigate to `<IS_HOME>/bin/` folder, and execute the following one of the following commands: |
| 42 | + |
| 43 | + === "Linux/MacOS" |
| 44 | + ``` |
| 45 | + sh fips.sh DISABLE |
| 46 | + ``` |
| 47 | + |
| 48 | + === "Windows" |
| 49 | + ``` |
| 50 | + fips.bat DISABLE |
| 51 | + ``` |
| 52 | + |
| 53 | + 3. In the `<IS_HOME>/repository/conf/deployment.toml` file, perform any of the following actions to disable the FIPS compliant mode: |
| 54 | + |
| 55 | + - Remove the `[jce_provider]` configuration, which was added when enabling this feature. |
| 56 | + - Add the following configuration to `<IS_HOME>/repository/conf/deployment.toml` file instead of removing the configuration. |
| 57 | + |
| 58 | + ``` toml |
| 59 | + [jce_provider] |
| 60 | + provider_name = "BC" |
| 61 | + ``` |
| 62 | + |
| 63 | + 4. Restart the WSO2 Identity Server. |
| 64 | + |
| 65 | + |
| 66 | +!!! note "Running the fips.sh script" |
| 67 | + You can use the `fips.sh` script with the following arguments according to your requirements: |
| 68 | + |
| 69 | + - Without parameters |
| 70 | + - Without arguments |
| 71 | + - Command - `sh fips.sh` |
| 72 | + - Running the script without arguments will download the `bc-fips` and `bcpkix-fips` jars from the public maven repository. |
| 73 | + - With `-f` argument |
| 74 | + - Command - `sh fips.sh -f {file_path_to_fips_jars}` |
| 75 | + - If you have already downloaded the `bc-fips` and `bcpkix-fips` jars to a local directory, you can run the script with `-f` followed by the local directory path for the script to obtain the jars. |
| 76 | + - With `-m` argument |
| 77 | + - Command - `sh fips.sh -m {base_path_to_local_maven}` |
| 78 | + - Running the script with `-m` followed by the base path to the local maven directory will download the `bc-fips` and `bcpkix-fips` jars from the local maven repository. |
| 79 | + - With parameters |
| 80 | + - `VERIFY` parameter |
| 81 | + - Command - `sh fips.sh VERIFY` |
| 82 | + - Using the verify parameter you can check whether the product pack is FIPS compliant or not. |
| 83 | + - `DISABLE` parameter |
| 84 | + - Command - `sh fips.sh DISABLE` |
| 85 | + - Using the disable parameter, you can disable the FIPS-compliant mode. |
0 commit comments