8 FIPS 140 Support in Oracle Fusion Middleware

This chapter describes Oracle Fusion Middleware support for FIPS 140.

This chapter contains these topics:

8.1 About the FIPS Standard

Federal Information Processing Standards (FIPS) are a series of standards established by the US National Institute of Standards for Technology (NIST) for use in evaluating the security of computer systems and networks.

One of the FIPS standards, FIPS 140-2, specifies the security requirements that must be met by a cryptographic module to protect sensitive information. The standard provides four increasing, qualitative levels of security to cover the wide range of potential applications and environments in which cryptographic modules may be employed.


In the remainder of this chapter, the term 'FIPS 140' refers to the FIPS 140-2 standard.

8.2 About FIPS 140-2 in Oracle Fusion Middleware Release 12c (12.2.1)

Oracle Fusion Middleware Release 12c (12.2.1) supports the use of FIPS 140-2-enabled cryptographic libraries.

The ability to operate in FIPS 140 mode is not a generic, product suite-wide claim. Instead, it is specific to a defined set of scenarios and transactions supported by relevant Oracle Fusion Middleware 12c (12.2.1) product components. It applies where validated cryptography is used to support or enforce security-sensitive tasks such as authentication, authorization, confidentiality, integrity, and so on.

The use of cryptographic services for other tasks that are non-security sensitive does not require FIPS 140 compliance. Oracle Fusion Middleware 12c (12.2.1) supports enabling FIPS 140 mode for security-sensitive scenarios while complying and co-existing with product functionality that does not require operating in that mode.

8.2.1 About FIPS 140-2 Validated Libraries

To support FIPS 140 operation, Oracle Fusion Middleware 12c (12.2.1) includes FIPS 140-validated RSA libraries from RSA, the Security Division of EMC (RSA). Algorithms not approved under FIPS 140 are disabled within the RSA libraries.

The libraries are based on RSA version 6.1 BSAFE and JCE software and include the following modules:

  • Crypto-J V6.1.1

  • SSL-J V6.1.2

  • Cert-J V6.1.1


These are the FIPS 140-certified library and module versions at the time of publication. The actual versions in effect at your installation could be slightly different from the ones listed here, as the vendor may issue some patches between certification and the time the product actually shipped. Thus the actual version could be a dot release of the certified version.

The version number is for information only; you can do any independent verification of certification and strength of algorithms.

For background about the FIPS 140 standards and algorithms, refer to the FIPS 140-2 documentation at:


8.2.2 About Provider and Algorithm Selection

FIPS 140 implementation in Oracle Fusion Middleware occurs in the context of the Java platform's Java Cryptography Architecture (JCA). To accommodate the co-existence of FIPS 140-validated algorithms for security-sensitive tasks as well as algorithms for other tasks, additional cryptographic providers are also configured to provide functionality not supported in FIPS 140-validated RSA libraries, and for certain non-compliant cryptographic functions such as MD5, which are disabled within the FIPS 140-validated RSA libraries.

The basic flow is as follows:

  • An application (for example, an external web client or Oracle HTTP Server) requests a service or connection to a server such as WebLogic Server. The request typically involves a "payload" such as a data packet to be transmitted.

  • JCA evaluates the request to determine whether FIPS 140 compliance is required.

  • The request is routed to JCA's "provider" framework, which contains a set of (FIPS 140-compliant and non-compliant) providers for digital signatures, message digests (hashes), certificates, and certificate validation, encryption, and other cryptographic services.

  • The providers are searched in preference order and the implementation from the first provider that supplies the correct algorithm is returned. For the security-sensitive cases, only FIPS 140 compliant algorithms are used to execute the cryptographic operations.

Figure 8-1 illustrates this flow:

Figure 8-1 Selecting a FIPS 140 Provider

Surrounding text describes Figure 8-1 .
  • The first request, on the left, is made in a security-sensitive scenario. JCA uses the SHA-256 provider from the RSA cryptographic library to process the request and deliver the FIPS 140 payload.

  • The second request, on the right, is executed in a non-sensitive scenario. JCA uses the MD5 provider from the non-cryptographic library to process the request with the non-FIPS 140 payload.

Thus, a security-sensitive scenario such as HTTPS/TLS inbound and outbound communication which is intended to be FIPS 140-compliant uses only those cryptographic functions available in the FIPS 140-validated RSA libraries to encrypt and sign HTTPS/TLS network payloads.

8.3 Components with FIPS 140 Support

When you plan to work with FIPS 140 in Oracle Fusion Middleware, be aware of the different components at various layers of the middleware stack where certain features may operate in FIPS 140 mode. If any component in the stack is operating in non-FIPS 140 mode, the transaction may not be FIPS 140-compliant. It is therefore important to ensure that all relevant components are operating in FIPS 140 mode.

Table 8-1 lists the components where you can enable FIPS 140, and contains the following details:

  • The Oracle Fusion Middleware layer where the component resides;

  • the component name

  • the scenario which can be FIPS 140-enabled

  • cross-reference to product documentation for details, including how to enable or disable FIPS 140, other relevant configuration details, and what product functions support the use of FIPS 140-validated cryptography.


Not all features of each listed component are FIPS 140-compliant. Only the specified features support FIPS 140.

Table 8-1 Components with FIPS 140-2 Support in Oracle Fusion Middleware

Component Layer Component Feature Details

Fusion Middleware Core

Oracle HTTP Server

  • TLS Inbound (HTTPS)

  • TLS Outbound from OHS to any web, proxy or application server using OHS SSL proxy (mod_proxy, mod_ossl)

Note: For outbound connections from OHS to WLS, FIPS must be enabled at WebLogic (for inbound connections) to enable FIPS communication between OHS and WLS.

These topics in Administrator's Guide for Oracle HTTP Server:


Oracle WebLogic Server

  • TLS inbound: HTTPS, T3S, JMX/T3S, JMS

  • TLS outbound: HTTPS, T3S, JMX/T3S, JMS, JDBC (Oracle RDBMS)

  • Database Connections (through Data Source)

"Enabling FIPS Mode" in Administering Security for Oracle WebLogic Server 12c (12.2.1)

"Use the SHA-256 Secure Hash Algorithm" in Securing WebLogic Web Services for Oracle WebLogic Server

"Using Encrypted Connection Properties" in Administering JDBC Data Sources for Oracle WebLogic Server


Oracle Platform Security Services

  • Keystore Service

  • Credential Store Service

"FIPS Support in OPSS" in Securing Applications with Oracle Platform Security Services


Oracle Web Services Manager

  • Message protection

  • Token signature

"Supported Algorithm Suites" in Securing Web Services and Managing Policies with Oracle Web Services Manager


Oracle SOA Suite

  • JCA Adapter for Files/FTP

  • JCA Adapter for Database

  • JCA Adapter for JMS

  • Service Bus

"About FIPS Compliance for the SFTP Transport" in Developing Services with Oracle Service Bus

"Enabling FIPS Compliance in Oracle File and FTP Adapters" in Understanding Technology Adapters


Oracle Traffic Director

NZ Integration


Oracle Database

  • Database in FIPS 140-2 mode

"Oracle Database FIPS 140-2 Settings" in Oracle Database Security Guide


Database is included for reference. Consult the certification matrix for supported versions and other details.

8.4 Common Scenarios for an Operational FIPS 140-2 Environment

Table 8-1 listed the components in Oracle Fusion Middleware with FIPS 140-2 features. Table 8-2 lists typical protocols for each component scenario:


These are representative scenarios - the table is not intended to provide a comprehensive listing of all possible scenarios.

Table 8-2 FIPS 140-2 Scenarios

Feature or Connection Communication Protocol Signature Algorithm/Protocol Details

Inbound connection from an external web client or application to Oracle HTTP Server

  • HTTPS (Client Access to OHS)

  • SOAP-TLS (Server to Server Communication)

HTTPS Server (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Outbound connection from Oracle HTTP Server to Oracle WebLogic Server

  • HTTPS (OHS to HTTP Servlet in WLS) for end-end SSL with external SSL termination in OHS.

HTTPS Client (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Inbound connection from an external web client or application to Oracle WebLogic Server

  • HTTPS (Client Access to HTTP Servlet)

  • SOAP-TLS (Server to Server Communication)

HTTPS Server (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Outbound connection from Oracle WebLogic Server to an external web, proxy or application server

  • HTTPS (WLS to an external HTTPS server)

  • SOAP-TLS (Server to Server Communication)

HTTPS Client (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

Outbound connection from Oracle WebLogic Server to Oracle Database 11gR2

  • DB-TLS-jdbc (WebLogic to Database Communication)

JDBC (TLS, Mutual Authentication, RSA-2048 with SHA-256 X.509 Certificates, AES-256 Bulk Data Encryption)

XML Message Protection (XML Signing) for SOAP messages using Oracle Web Services Manager

  • SOAP-MsgSec

XML Signature (Basic256Sha256, Basic256Sha256Rsa15); Entire Body, Include SwA Attachment

XML Message Protection (XML Encryption) for SOAP messages using Oracle Web Services Manager

  • SOAP-MsgSec

XML Signature (Basic256Sha256, Basic256Sha256Rsa15); Entire Body, Include SwA Attachment

Inbound JMS connection to Oracle WebLogic Server

  • JMS traffic is secure in flight


Outbound JMS connection from Oracle WebLogic Server

  • JMS traffic is secure in flight


Secure JNDI lookups from deployed components




Secure administrator access to servers

  • WLST traffic to WLS server is secure in flight


Keystore and Certificate Generation

  • Encryption

  • Key Exchange

RSA 2048, AES 256, SHA-2

Hashing Algorithms, Password-Based Encryption

  • Hashing

  • Encryption


Oracle Service Bus for SOA service-based components

SFTP transport for service types:

  • Messaging

  • Any XML

Public Key Algorithm (diffie-hellman-group14-sha1)

Key Exchange Algorithm (ssh-rsa)

Managed File Transfer (MFT)

  • Key exchange

  • Ciphers

  • Message Authentication

File transports:

  • SFTP


  • PGP

  • JCA Transport

Typical algorithms

  • DHG14

  • AES128CBC, TripleDESCBC


  • RSA, DSA

  • Diffie-hellman-group14-sha1

JCA Adapters

File Transfer Protocol

  • diffie-hellman-group14-sha1

  • ssh-rsa


Unless otherwise indicated, all component servers are at Release 12c (12.2.1)

8.5 Troubleshooting FIPS 140 Issues

This section explains how to troubleshoot issues encountered with FIPS 140 configuration. It contains these topics:

8.5.1 FIPS 140 Troubleshooting for Stand-alone WebLogic Server

Take the following steps to troubleshoot FIPS 140 mode for a stand-alone Oracle WebLogic Server:

During WebLogic Server Configuration

  1. Make sure to prepend the server CLASSPATH with jcmFIPS.jar and sslj.jar.

  2. To explicitly verify *AES_256* cipher suites, update the local_policy.jar and US_export_policy.jar in the JAVA_HOME/jre/lib/security directory with the corresponding file with unlimited strength.

  3. Modify JAVA_HOME/jre/lib/security/java.security by putting security.provider.1=com.rsa.jsafe.provider.JsafeJCE and security.provider.2=com.rsa.jsse.JsseProvider on top of the list.

During Data Source Configuration

Make sure that the value of the DataSource property oracle.net.ssl_version is set to 1.0.

Note: oracle.net.ssl_version is an optional Oracle WebLogic Server DataSource configuration property. A value of 1.0 represents connection through TLS v 1.0 Protocol.

8.5.2 FIPS 140 Troubleshooting for Oracle Platform Security Services

This section describes some troubleshooting tips in Oracle Platform Security Services (OPSS).

During WebLogic Domain Creation

You may see the following exceptions in wlsconfig_xxxxx.log during domain creation in FIPS 140 mode:

"CFGFWK-60455: The password
must be at least 8 alphanumeric characters with at least one number or
special character."
"Caused by: java.lang.NoSuchMethodError:

This exception may occur if you are using cryptoJ 5 jars. Make sure you have installed Oracle WebLogic Server with cryptoJ 6 jars to avoid this error.

When Exporting from Domain Keystore

If you are using JKS and JCEKS type keystores in a FIPS 140-enabled domain, and see the following error:

Command FAILED, Reason:
 oracle.security.jps.service.keystore.KeyStoreServiceException: Failed to export the keystore 

make sure that you have configured the following providers in the java.security file:


8.5.3 FIPS 140 Troubleshooting for Oracle Web Services Manager

This section describes tips for issues originating in Oracle Web Services Manager.

During Message Protection Policy Enforcement

If you see this error during Oracle Web Services Manager message protection policy enforcement:

Caused by: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5
       at com.rsa.cryptoj.o.cc.b(Unknown Source)
       at com.rsa.cryptoj.o.cc.f(Unknown Source)

make sure that certificates used in message protection enforcement are generated using FIPS 140-compliant algorithms like SHA1WithRSA or SHA256WithRSA.

If you encounter this error for the JKS keystore during message protection policy enforcement:

oracle.fabric.common.PolicyEnforcementException: WSM-00143 : Failure creating Java Keystore instance for type JKS.

make sure that sun.security.provider.Sun is configured in the JDK.

8.5.4 FIPS 140 Troubleshooting for Database and JDBC Driver

For complete details about security configuration for the database, the JDBC driver, including data source issues related to database, see the white paper "SSL With Oracle JDBC Thin Driver" on the Oracle Technology Network at: