36 Enabling FIPS Mode

Learn how to enable FIPS 140-2 mode in Oracle WebLogic Server.

• FIPS Overview

• Enabling FIPS Mode with Jipher JCE and SunJSSE Providers

• Enabling FIPS Mode with Dell JCE and Dell JSSE Providers

• Verifying JCE When FIPS 140-2 Mode is Enabled

• Creating FIPS 140-2 Compliant Keystores

• Important Considerations When Using Web Services

FIPS Overview

The Federal Information Processing Standards (FIPS) 140-2 is a standard that describes U.S. Federal government requirements for sensitive but unclassified use.

You can enable a FIPS compliant (FIPS 140-2) implementation of WebLogic Server by using the Jipher JCE and SunJSSE providers, or by using the Dell JSSE and Dell JCE providers in FIPS mode.

For supported versions of FIPS, see Supported FIPS Standards and Cipher Suites.

Note:

In addition to using the Dell JSSE and Dell JCE providers in FIPS mode as described in this section, you can also use them in non-FIPS mode. For example, you might want to use a particular encryption algorithm that is unique to the Dell JSSE provider.

See the following topics:

• Using the Dell JSSE Provider in WebLogic Server

• Using the Dell JCE Provider

See FIPS-140 Support in Oracle Fusion Middleware in Administering Oracle Fusion Middleware Oracle Fusion Middleware for detailed information about Oracle Fusion Middleware support for FIPS.

Enabling FIPS Mode with Jipher JCE and SunJSSE Providers

Create a FIPS-compliant implementation of WebLogic Server with a combination of the Jipher JCE provider and the SunJSSE provider.

Note:

The April 2026 Patch Set Update (PSU) added support for the Jipher JCE provider.

You can enable FIPS 140-2 mode by either creating your own java.security file and specifying Java options from the command line or by editing the installed JDK java.security file.

Enabling FIPS Mode From Java Options with Jipher

You can enable FIPS 140-2 mode with the Jipher JCE and SunJSSE providers using Java security files and specifying Java options on the command line.

Note:

Support for the Jipher JCE provider was added in the April 2026 Patch Set Update (PSU).

1. Create your own java.security file. You can use the one that comes with the installed JDK as a guide.
2. Add the Jipher JCE provider as the first Java security provider listed in your java.security properties file. Move the rest of the providers down one position:

   security.provider.1=com.oracle.jipher.provider.JipherJCE
   security.provider.2=SunJSSE
   security.provider.3=SUN

3. Add keystore.type=pkcs12 in your java.security properties file to block non-PKCS12 type keystores. If your environment does not use JKS, then remove the keystore.type=jks property.

   For strict FIPS compliance, you should only be using PKCS12 keystores. However, if blocking JKS keystores will cause issues, then keep the keystore.type=jks property and then, when starting WebLogic Server, set -Dweblogic.security.fips140strictkeystores to false which allows WebLogic Server to use non-PKCS12 keystores.

   When feasible, consider converting any JKS keystores. See Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider for instructions.

4. On the WebLogic Server start command line, set -Djava.security.properties to override the default configuration in the java.security file and -Dweblogic.security.fips140strictkeystores=true to prevent WebLogic Server from using any non-PKCS12 type keystores (unless you are using JKS keystores, as noted above).

   For -Djava.security.properties, specify the full file path to your custom java.security file. For example:

   set JAVA_OPTIONS="-Djava.security.properties=C:\Users\user\java.security -Dweblogic.security.fips140strictkeystores=true"
   

   Note:

   Use a single equal sign (=) to specify a filename if you want the java.security properties to be appended to the installed JRE security properties. Use two equal signs (==) if you want to override all the Java security properties, for instance, -Djava.security.properties==C:\Users\user\java.security.
5. Start WebLogic Server.

Enabling FIPS 140-2 Mode From java.security

You can enable FIPS 140-2 mode from the installed JDK java.security file.

Note:

Support for the Jipher JCE provider was added in the April 2026 Patch Set Update (PSU).

1. Edit the java.security file to add the Jipher JCE provider as the first Java security provider listed in the java.security properties file. Move the rest of the providers down a position:

   security.provider.1=com.oracle.jipher.provider.JipherJCE
   security.provider.2=SunJSSE
   security.provider.3=SUN

2. Add keystore.type=pkcs12 to block non-PKCS12 type keystores. If your environment does not use JKS, then remove the keystore.type=jks property.

   For strict FIPS compliance, you should only be using PKCS12 keystores. However, if blocking JKS keystores will cause issues, then keep the keystore.type=jks property and then, when starting WebLogic Server, set -Dweblogic.security.fips140strictkeystores to false which allows WebLogic Server to use non-PKCS12 keystores.

   When feasible, consider converting any JKS keystores. See Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider for instructions.

3. If you are not using JKS keystores, then on the WebLogic Server start command line, set weblogic.security.fips140strictkeystores=true to prevent WebLogic Server from using any non-PKCS12 type keystores.

   set JAVA_OPTIONS=-Dweblogic.security.fips140strictkeystores=true
   

4. Start WebLogic Server.

Enabling FIPS Mode with Dell JCE and Dell JSSE Providers

Create a FIPS-compliant implementation of WebLogic Server using a combination of the Dell JCE and Dell JSSE providers.

You can enable FIPS 140-2 mode by either creating your own java.security file and then specifying Java options from the command line, or by editing the installed JDK java.security file.

Enabling FIPS 140-2 Mode From Java Options

You can enable FIPS 140-2 mode using Java security files and specifying Java options on the command line.

Note:

The Dell JCE and Dell JSSE providers were previously known as RSA JCE and RSA JSSE, respectively.

To enable FIPS 140-2 mode from Java options, follow these steps:

1. Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.

   https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
   

   Open the .ZIP distribution and update local_policy.jar and US_export_policy.jar in JAVA_HOME/jre/lib/security . See the README.txt file in the .ZIP distribution for more information and installation instructions.

   Note:

   You can skip this step if you are running WebLogic Server on JDK 8u161 or later. On JDK 8u161 and later, stronger cryptographic algorithms are available by default.
2. Create your own java.security file. You can use the one that comes with the installed JDK as a guide.

   Add both the Dell JCE provider and the Dell JSSE provider as the first two Java security providers listed in your java.security properties file:

   #
   security.provider.1=com.rsa.jsafe.provider.JsafeJCE
   security.provider.2=com.rsa.jsse.JsseProvider
    
   security.provider.3=sun.security.provider.Sun
   :
   

3. Set -Djava.security.properties on the WebLogic Server start command line to override the default configuration in the java.security file. Specify a full file path to your custom java.security file.

   set JAVA_OPTIONS=-Djava.security.properties=C:\Users\user\java.security
   

   Note:

   Use a single equal sign (=) to specify a filename if you want the java.security properties to be appended to the installed JRE security properties. Use two equal signs (==) if you want to override all the Java security properties, for instance, -Djava.security.properties==C:\Users\user\java.security.
4. Put the jcmFIPS.jar jar and sslj.jar JAR files (both are in WL_HOME/server/lib/) at the head of the classpath. You can use the PRE_CLASSPATH environment variable to do this.

   (The Dell JCE provider Crypto-J is located in cryptoj.jar and is in the classpath by default.)

   For example, you could set jcmFIPS.jar and sslj.jar in the PRE_CLASSPATH variable before you call the server start script, typically setDomainEnv.cmd/sh, before PRE_CLASSPATH is added to CLASSPATH:

   set PRE_CLASSPATH=%ORACLE_HOME%\wlserver\server\lib\jcmFIPS.jar;%ORACLE_HOME%\wlserver\server\lib\sslj.jar
   cd %ORACLE_HOME%\user_projects\domains\base_domain
   startWebLogic.cmd
   

5. Start WebLogic Server.

Enabling FIPS 140-2 Mode From java.security

You can enable FIPS 140-2 mode from the installed JDK java.security file.

Note:

The Dell JCE and Dell JSSE providers were previously known as RSA JCE and RSA JSSE, respectively.

The configuration steps are as follows:

1. Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.

   https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
   

   Open the .ZIP distribution and update local_policy.jar and US_export_policy.jar in JAVA_HOME/jre/lib/security. See the README.txt file in the .ZIP distribution for more information and installation instructions.

   Note:

   You can skip this step if you are running WebLogic Server on JDK 8u161 or later. On JDK 8u161 and later, stronger cryptographic algorithms are available by default.
2. Edit the java.security file. Add both the Dell JCE provider and the Dell JSSE provider as the first two Java security providers listed in the java.security properties file:

   #
   security.provider.1=com.rsa.jsafe.provider.JsafeJCE
   security.provider.2=com.rsa.jsse.JsseProvider
    
   security.provider.3=sun.security.provider.Sun
   :
   

3. Put the jcmFIPS.jar jar and sslj.jar JAR files (both are in WL_HOME/server/lib/) at the head of the classpath. You can use the PRE_CLASSPATH environment variable to do this.

   (The Dell JCE provider Crypto-J is located in cryptoj.jar and is in the classpath by default.)

   For example, you can set jcmFIPS.jar and sslj.jar in the PRE_CLASSPATH variable before you call the server start script, typically setDomainEnv.cmd/sh, before PRE_CLASSPATH is added to CLASSPATH:

   set PRE_CLASSPATH=%ORACLE_HOME%\wlserver\server\lib\jcmFIPS.jar;%ORACLE_HOME%\wlserver\server\lib\sslj.jar
   cd %ORACLE_HOME%\user_projects\domains\base_domain
   startWebLogic.cmd
   

   Or, you could add jcmFIPS.jar and sslj.jar to the PRE_CLASSPATH variable in the server start script itself.

4. Start WebLogic Server.

Verifying JCE When FIPS 140-2 Mode is Enabled

To ensure that JCE verification is enabled when configuring WebLogic Server for FIPS 140-2 mode, set the -Dweblogic.security.allowCryptoJDefaultJCEVerification=true JAVA_OPTIONS environment variable when you start WebLogic Server.

During normal WebLogic startup, for performance reasons the Dell BSAFE Crypto-J JCE Self-Integrity test is disabled.

Note that setting this environment variable adds additional processing and time to the startup.

Note:

As of the April 2026 Patch Set Update (PSU), you can check the server log to verify that FIPS mode is active and also to see which JCE provider the domain is using. You no longer need to set the -Dweblogic.security.allowCryptoJDefaultJCEVerification=true environment variable.

Creating FIPS 140-2 Compliant Keystores

JKS and PKCS12 keystores created with the keytool utility and using the Sun JSSE provider (the default) may not be fully FIPS compliant. To ensure that your keystores are FIPS 140-2 compliant, you can convert the keystores that you created with the Sun JSSE provider by using the keytool command with the Jipher JCE provider supplied with the WebLogic Server distribution.

Note:

The April 2026 Patch Set Update (PSU) adds support for the Jipher JCE provider.

You can also use the keytool command and specify the Dell JCE provider supplied with the WebLogic Server distribution.

Although you can create a keystore with SunJSSE using FIPS-approved algorithms, if a FIPS-validated crypto implementation is not used, then it is not officially FIPS-compliant.

Also, some environments, such as Java Cloud Service configured with the Oracle Identity Cloud Integrator provider, use the default JKS keystore with CA certificates, cacerts. In these environments, you must convert the JKS keystore to a FIPS compliant PKCS12 keystore using either the Jipher or Dell JCE providers.

As of the April 2026 PSU, you can ensure that only PKCS12 type keystores are allowed by setting the following system property when starting WebLogic Server: weblogic.security.fips140strictkeystores=true and adding keystore.type=pkcs12 to the java.security file.

The following sections provide procedures for completing these steps to ensure your keystores are FIPS compliant:

• Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider

• Converting a Non-FIPS Compliant Keystore Using the Dell JCE Provider

• Converting the Default JKS Keystore for FIPS Compliance

Converting a Non-FIPS Compliant Keystore Using the Jipher JCE Provider

Using the WebLogic Server distribution classpath, you can convert a non-compliant keystore using the keytool –importkeystore command with the Jipher JCE provider.

To convert a non-compliant keystore using the Jipher JCE provider:

keytool -importkeystore -srckeystore srckeystore          
–srcstoretype srcstoretype         
-srcprovidername providername –destkeystore destkeystore
-deststoretype PKCS12 -destprovidername JipherJCE
-providerclass com.oracle.jipher.provider.JipherJCE
-providerpath $CLASSPATH 

In this command, provide values for the following parameters:

• -srckeystore – Name of the source keystore
• -srcstoretype – Type of source keystore, for example PKCS12
• -srcprovidername – Name of the source keystore provider. Set to JipherJCE if srcstoretype is PKCS12
• -destkeystore - Name of the destination keystore
• -deststoretype – Type of destination keystore. Set to PKCS12 for the Jipher JCE provider
• -destprovidername – Name of the destination keystore provider. Set to JipherJCE for the Jipher JCE provider
• -providerclass – Name of the provider class. Set to com.oracle.jipher.provider.JipherJCE
• -providerpath - Classpath for the provider

Converting a Non-FIPS Compliant Keystore Using the Dell JCE Provider

Note:

The Dell JCE provider was previously known as RSA JCE.

Using the WebLogic Server distribution classpath, you can convert a non-compliant keystore using the keytool –importkeystore command with the Dell JCE provider as follows:

keytool -importkeystore -srckeystore srckeystore 
         –srcstoretype srcstoretype
         -srcprovidername providername –destkeystore destkeystore 
         -deststoretype PKCS12 -destprovidername JsafeJCE 
         -providerclass com.rsa.jsafe.provider.JsafeJCE 
         -providerpath $CLASSPATH 

In this command, provide values for the following parameters:

• -srckeystore – Name of the source keystore
• -srcstoretype – Type of source keystore, for example PKCS12
• -srcprovidername – Name of the source keystore provider. Set to JsafeJCE if srcstoretype is PKCS12
• -destkeystore - Name of the destination keystore
• -deststoretype – Type of destination keystore. Set to PKCS12 for the Dell JCE provider
• -destprovidername – Name of the destination keystore provider. Set to JsafeJCE for the Dell JCE provider
• -providerclass – Name of the provider class. Set to com.rsa.jsafe.provider.JsafeJCE
• -providerpath - Classpath for the provider

Converting the Default JKS Keystore for FIPS Compliance

The default JKS keystore with CA certificates, cacerts, included with the JDK is not FIPS compliant. FIPS 140-2 requires a PKCS12 PBES2 keystore; JKS keystores and PKCS12 keystores created with keytool using the Sun JSSE provider (the default) are not supported. If you are using the default JDK cacerts keystore, such as in a Java Cloud Service environment using the Oracle Identity Cloud Integrator provider, you need to complete additional steps to ensure FIPS compliance, though these steps will differ depending on the JCE provider.

The following examples illustrate the steps to convert the keystore and update the Java system properties using either the Jipher JCE provider or the Dell JCE provider.

• If you are using the Jipher JCE provider, review the following example on the process to convert the keystore and update the Java system properties.
  1. Load the JKS keystore with the default provider and save it as a PKCS12 keystore with the Jipher JCE provider.

     keytool -importkeystore -v
           -srckeystore $JAVA_HOME/jre/lib/security/cacerts  
           -srcstoretype JKS
           -destkeystore cacerts.p12 
           -deststoretype PKCS12
           -destprovidername JipherJCE 
           -providerclass com.oracle.jipher.provider.JipherJCE 
           -providerpath $CLASSPATH
         

  2. Set the Java system properties used by the default SSL context when booting WebLogic Server. You can do this by setting the following Java options in the WebLogic Server start script as described in Specifying Java Options for a WebLogic Server Instance in Administering Server Startup and Shutdown for Oracle WebLogic Server.
     For example:

     Set JAVA_OPTIONS=”-Djavax.net.ssl.trustStore=/u01/jdk/jre/lib/security/cacerts.p12 -Djavax.net.ssl.trustStoreType=PKCS12”

• If you are using the Dell JCE provider, review the following example on the process to convert the JDK cacerts keystore from JKS to PKCS12 format, then use the Dell JCE provider to convert the PKCS12 keystore to be FIPS compliant, and finally, set Java system properties to update the default trust store used by the Java default SSL context in your environment so that you can boot and operate WebLogic Server successfully.

  In this example, the JDK is installed in the directory /u01.

  Note:

  The Dell JCE provider was previously known as RSA JCE.
  1. Convert the JDK cacerts keystore file to PKCS12 using the keytool –importkeystore command. For example:

     keytool -importkeystore -srckeystore /u01/jdk/jre/lib/security/cacerts 
           -destkeystore /u01/jdk/jre/lib/security/cacerts.p12 
           –deststoretype pkcs12

     When you execute this command, you are prompted for the default password for the cacerts keystore file. For details about the keytool command and managing the cacerts file, including the default password, see keytool at https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html.

  2. Add the WebLogic Server classes to the CLASSPATH environment variable by running the ORACLE_HOME\wlserver\server\bin\setWLSEnv script.

     Here, ORACLE_HOME represents the directory you specified as the Oracle Home when you installed WebLogic Server.

     Note:

     On UNIX operating systems, the setWLSEnv.sh command does not set the environment variables in all command shells. Oracle recommends that you execute this command using the Korn shell or bash shell.
  3. Convert the PKCS12 keystore created in step 1 to a FIPS compliant keystore using the keytool –importkeystore command with the Dell JCE provider, as described in Converting a Non-FIPS Compliant Keystore Using the Dell JCE Provider.
     For example:

     keytool -importkeystore -srckeystore /u01/jdk/jre/lib/security/cacerts.p12   
     -srcstoretype PKCS12 -srcprovidername JsafeJCE 
     -destkeystore /u01/jdk/jre/lib/security/cacerts.rsa
     -deststoretype PKCS12 -destprovidername JsafeJCE
     -providerclass com.rsa.jsafe.provider.JsafeJCE 
     -providerpath $CLASSPATH 
     

  4. Set the Java system properties used by the default SSL context when booting WebLogic Server. You can do this by setting the following Java options in the WebLogic Server start script as described in Specifying Java Options for a WebLogic Server Instancein Administering Server Startup and Shutdown for Oracle WebLogic Server.
     For example:

     Set JAVA_OPTIONS=”-Djavax.net.ssl.trustStore=/u01/jdk/jre/lib/security/cacerts.rsa -Djavax.net.ssl.trustStoreType=PKCS12”

Important Considerations When Using Web Services

When using web services in FIPS 140-2 mode, there are important considerations to keep in mind.

For example:

• All certificates must have a key size length of 2048 bits.

• SHA-1 Secure Hash Algorithm Not Supported

• X509PKIPathv1 token Not Supported

SHA-1 Secure Hash Algorithm Not Supported

SHA-1 Secure Hash Algorithm is not supported in FIPS 140-2 mode. Therefore the following WS-SP <sp:AlgorithmSuite> values are not supported in FIPS 140-2 mode:

• Basic256

• Basic192

• Basic128

• TripleDes

• Basic256Rsa15

• Basic192Rsa15

• Basic128Rsa15

• TripleDesRsa15

As described in Using the SHA-256 Secure Hash Algorithm in Securing WebLogic Web Services for Oracle WebLogic Server, the WebLogic Server web service security policies support both the SHA-1 and much stronger SHA-2 (SHA-256) secure hash algorithms for hashing digital signatures. Specifically, Using the SHA-256 Policies describes which policies use the SHA-1 secure hash algorithm and their SHA-2 equivalents.

FIPS 140-2 mode requires an Extended Algorithm Suite when digital signatures are used. See Using the Extended Algorithm Suite (EAS) in Securing WebLogic Web Services for Oracle WebLogic Server.

If you enable FIPS 140-2 mode, change the <sp:AlgorithmSuite> element in the Security policy to one of the following supported <sp:AlgorithmSuite> values as described in Using the SHA-256 Secure Hash Algorithm:

• Basic256Sha256

• Basic192Sha256

• Basic128Sha256

• Basic256Exn256

• Basic192Exn256

• Basic128Exn256

• TripleDesSha256

• TripleDesExn256

• Basic256Sha256Rsa15

• Basic192Sha256Rsa15

• Basic128Sha256Rsa15

• Basic256Exn256Rsa15

• Basic192Exn256Rsa15

• Basic128Exn256Rsa15

• TripleDesSha256Rsa15

• TripleDesExn256Rsa15

For example, to edit an existing Basic256 Algorithm Suite to an EAS Algorithm Suite, then change the policy from

<sp:AlgorithmSuite>
        <wsp:Policy>
             <sp:Basic256/>
        </wsp:Policy>
</sp:AlgorithmSuite>

to

<sp:AlgorithmSuite>
         <wsp:Policy>
             <orasp:Basic256Exn256 xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"/>
         </wsp:Policy>
</sp:AlgorithmSuite>

X509PKIPathv1 token Not Supported

The X509PKIPathv1 token is not supported for FIPS 140-2 mode in this release of WebLogic Server. If you use the X509PKIPathv1 token in a custom policy, change the policy to use the PKCS7 token instead.

Specifically, the following two policy assertions are not supported in FIPS 140-2 mode in this release of WebLogic Server:

• <sp:WssX509PkiPathV1Token10/>

• <sp:WssX509PkiPathV1Token11/>

If you use these two policy assertions, change them to the following two assertions instead:

• <sp:WssX509Pkcs7Token10/>

• <sp:WssX509Pkcs7Token11/>

For example, if the policy has the following assertion in the custom policy:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:WssX509PkiPathV1Token10/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

replace it with the following policy assertion:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:WssX509Pkcs7Token10/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

Or, if the policy has the following assertion in the custom policy:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
              <sp:RequireThumbprintReference/>
              <sp:WssX509PkiPathV1Token11/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>

replace it with the following assertion:

<wsp:Policy>
   <sp:X509Token sp:IncludeToken=". . .">
         <wsp:Policy>
               <sp:RequireThumbprintReference/>
               <sp:WssX509Pkcs7Token11/>
         </wsp:Policy>
   </sp:X509Token>
</wsp:Policy>