1. Java Developer's Guide
  2. Security for Oracle Database Java Applications
  3. FIPS Support

10.6 FIPS Support

Perform the steps described in this section for installing the JAR files to support FIPS 140-2 standard and to make JsafeJCE as the default cryptography provider in Oracle Database:

Installing and Uninstalling FIPS Classes

The following command installs the FIPS classes in the Oracle JVM:

javavm/install/install_fips.sql

The following command uninstalls the FIPS classes from the Oracle JVM:

javavm/install/deinstall_fips.sql

Enabling FIPS

To enable FIPS in the applicable application, you must call the insertProviderAt() method in the following way:

Note:

You must call this method prior to calling any cryptographic method. 
Security.insertProviderAt(new com.rsa.jsafe.provider.JsafeJCE(), 1);

This method also makes JsafeJCE the preferred provider for the application. If you are a non-SYS users, ensure that you have the following permission to execute the Security.insertProviderAt() method: 

call dbms_java.grant_permission( '<schema_name>', 'SYS:java.security.SecurityPermission',
 'insertProvider', '' );

Where, <schema_name> is the name of the schema calling the FIPS application.

Loading Scripts

The $ORACLE_HOME/javavm/install/install_fips.sql script grants read permission on the jcmFIPS.jar file to enable the FIPS JAR verification for the provider. Subsequently, the following FIPS JAR files are loaded and PUBLIC synonyms are created: 

ORACLE_HOME/jlib/cryptojce.jar
$ORACLE_HOME/jlib/crtpyojcommon.jar
$ORACLE_HOME/jlib/jcmFIPS.jar

Loading Considerations

You must keep the following points in mind in a typical loading process:

  • All scripts must be run as SYS.
  • If you are working in a multitenant environment, then you must load the java.security.alt file into the CDB$ROOT first. After you configure the CDB$ROOT, you can load the PDBs in parallel, if desired.

Working in a Multitenant Environment

Use the following command to install the FIPS classes in all the containers:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspassword> -b install_fips -d $ORACLE_HOME/javavm/install install_fips.sql

Note:

The log files created are of the form install_fips[01..].log. You must check the log files for any errors.

Use the following command to install the FIPS classes in a particular PDB, say PDB1:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspassword> -c 'CDB$ROOT PDB1'
 -b install_fips -d $ORACLE_HOME/javavm/install install_fips.sql

Use the following command to uninstall the FIPS classes from all the containers:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspassword> -b deinstall_fips
 -d $ORACLE_HOME/javavm/install deinstall_fips.sql

Note:

The log files created are of the form deinstall_fips[01..].log. You must check the log files for any errors.

Use the following command to uninstall the FIPS classes from a particular PDB, say PDB1:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspassword> -c 'PDB1'
 -b deinstall_fips -d $ORACLE_HOME/javavm/install deinstall_fips.sql

Note:

To remove the FIPS classes from the Oracle JVM completely, add CDB$ROOT to the -c list in the preceding command.