Was WildFly evaluated for FIPS? No, we are just giving users opportunity to configure and operate Credential Store in compliant way.
Configuration
To setup Credential Store in FIPS compliant way we need FIPS compliant key store first. This will be used to hold and encryption key and Credential Store implementation will use it to encrypt/decrypt data needed to restore credentials from the storage file.
FIPS 140-2 compliant key store
There are several possibilities to get FIPS compliant key store, this is just on them.I will use Sun PKCS#11 provider accessing NSS DB. More details lookup here.
Modify $JAVA_HOME/jre/lib/security/java.security file to have the provider on the first position:
security.provider.1=sun.security.pkcs11.SunPKCS11 /opt/ora/jdk1.8.0_fips/jre/lib/security/nss_pkcs11_fips.cfg
Move all the other providers down one position.
Content of nss_pkcs11_fips.cfg file is following:
name = testPkcs
nssLibraryDirectory = /usr/lib64nssSecmodDirectory = /home/pskopek/fipsdb
nssDbMode = readWrite
nssModule = fips
Note the nssSecmodDirectory option which points to nssDb directory. You might want to have it elsewhere. Note the name option too.
We need to modify $JAVA_HOME/jre/lib/security/java.security provider called com.sun.net.ssl.internal.ssl.Provider to use the PKCS#11 key store we are configuring right now. (it is not necessary but might help later when one will try to configure https/ssl).
Resulting row should look like:
security.provider.5=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-testPkcs
Next step is to initialize NSS DB:
mkdir fipsdb
modutil -force -dbdir fipsdb -create
modutil -force -dbdir fipsdb -fips true
modutil -force -dbdir fipsdb -changepw "NSS FIPS 140-2 Certificate DB"
Just remember to set password "pass123+" as we use it in this example.
Make sure that "fipdb" directory is actually the same like the one referenced by nssSecmodDirectory in nss_pkcs11_fips.cfg configuration file above.
We can use Java keytool for the job:
keytool -keystore NONE -storetype PKCS11 -storepass pass123+ -genseckey -alias cskey -keyalg AES -keysize 256
Just be sure you are using the same JRE with java.security file you have already modified.
Credential Store
CLI command to create credential store named "fips".
/subsystem=elytron/credential-store=fips:add(modifiable=true, location=data.store, relative-to=jboss.server.data.dir, implementation-properties={"keyStoreType"=>"PKCS11","external"=>"true","keyAlias"=>"cskey"},credential-reference={clear-text="pass123+"}, create=true)
We can add some alias to see if it works:
/subsystem=elytron/credential-store=fips:add-alias(alias="myfipsalias", secret-value="supersecret")
Her comes the check:
/subsystem=elytron/credential-store=fips:read-aliases()
