Skip to main content

What FIPS means for Java

FIPS (Federal Information Processing Standards) 140-3 is a federal cryptography compliance framework. FIPS validated cryptography is required by FedRAMP and is mandatory for non-military federal government agencies, contractors, and vendors. Validation is regulated by the NIST Cryptographic Module Validation Program (CMVP), which certifies cryptographic modules that meet FIPS 140-3 security standards. Standard OpenJDK ships with built-in cryptographic providers (SunJCE, SunJSSE, SunRsaSign, SunEC) that have not been through the CMVP validation process. To be FIPS-compliant, every cryptographic operation (encryption, hashing, key generation, TLS) must go through a CMVP-certified provider.

FIPS 140-3 certificate

Minimus Java FIPS images use the Minimus Cryptographic Module for Java module, validated under CMVP certificate #5142. This certificate covers the CCJ Provider and defines the approved algorithms, operational environments, and hardware requirements under which the module is validated.

Available Java FIPS images

Minimus provides the following Java FIPS validated images:
ImageBaseDescriptionUse
reg.mini.dev/openjdk-fipsEclipse TemurinOpenJDK Development Kit (JDK)Build and compile stage
reg.mini.dev/openjre-fipsEclipse TemurinOpenJDK Runtime Environment (JRE)Production runtime
reg.mini.dev/amazon-corretto-jdk-fipsAmazon CorrettoAmazon Corretto JDKBuild and compile stage
reg.mini.dev/amazon-corretto-jre-fipsAmazon CorrettoAmazon Corretto JREProduction runtime

Supported Java versions

Supported Java versions: 26, 25, 21, 17, 8. Java 24 and 11 have reached end-of-life but are available.

Cryptographic providers

Minimus Java FIPS images are configured with the following security providers, in priority order:
PositionProviderRole
1SafeLogic CryptoComply (CCJ)Primary FIPS 140-3 validated provider for all cryptographic operations
2Bouncy Castle JSSE (BCJSSE)FIPS-compliant TLS/SSL — delegates all crypto to CCJ
3SUNLoaded at lowest priority for CCJ JAR signature validation only
4+SunJGSS, SunSASL, XMLDSig, SunPCSC, JdkLDAP, JdkSASLInfrastructure providers delegate crypto operations to CCJ/BCJSSE
The following providers are explicitly removed from the image and are not available at runtime: SunRsaSign, SunEC, SunJCE, SunJSSE.

FIPS 140-3 libraries

The CryptoComply and SafeLogic Bouncy Castle jars are located at /usr/share/fips-libs/ inside the image:
JARPurpose
ccj-4.0.0-fips.jarSafeLogic CryptoComply FIPS 140-3 provider (CCJ)
sl-bcutil-2.0.3.jarSafeLogic Bouncy Castle utilities
sl-bctls-2.0.21.jarSafeLogic Bouncy Castle TLS/SSL (JSSE)
sl-bcpkix-2.0.8.jarSafeLogic Bouncy Castle PKIX/X.509
sl-bcmail-2.0.5.jarSafeLogic Bouncy Castle S/MIME
sl-bcpg-2.0.12.jarSafeLogic Bouncy Castle OpenPGP

What FIPS blocks at runtime

FIPS approved-only mode (com.safelogic.cryptocomply.fips.approved_only=true) enforces a hard algorithm blocklist. Your application will throw a NoSuchAlgorithmException or GeneralSecurityException at runtime, not at compile time if it calls any of the following:
BlockedFIPS-approved replacement
MD5 (for any security purpose)SHA-256 or SHA-3
SHA-1 signaturesSHA-256 or stronger
DES / 3DESAES-128 or AES-256
RC4AES-GCM
TLS 1.0 / TLS 1.1TLS 1.2 or TLS 1.3
RSA or DH keys under 2048 bitsRSA-2048 minimum, RSA-3072 preferred
PKCS#12 for private key storageBCFKS keystore format
Audit your codebase to search for string literals like “MD5”, “SHA1”, “DES”, “RC4”, “TLSv1”, and “PKCS12” in any getInstance() or KeyStore.getInstance() calls.

Security configuration

The images enforce FIPS 140-3 compliance through:
  • Approved-only mode: com.safelogic.cryptocomply.fips.approved_only=true
  • Non-FIPS providers disabled: SunRsaSign, SunEC, SunJCE, and SunJSSE are omitted
  • FIPS-approved algorithms only: Non-FIPS algorithms are blocked (e.g., MD5)
  • BCFKS keystore type: Required for private keys (Bouncy Castle FIPS KeyStore is a FIPS-compliant keystore format)
  • Trust store types: JKS, PKCS12, and BCFKS supported for truststores

Environment variables

Minimus Java FIPS images set the following environment variables by default:
  • JAVA_HOME: Points to the default JVM installation
  • CLASSPATH: Includes FIPS libraries from /usr/share/fips-libs/*
  • JAVA_FIPS_CLASSPATH: Explicit FIPS classpath reference
  • JDK_JAVA_OPTIONS: Includes the required exports and FIPS trust store configuration:

Verifying the Java FIPS 140-3 module

Each Java FIPS image includes automated tests that verify:
  1. Java version - Confirms that the correct Java version is installed
  2. FIPS provider availability - Verifies that SafeLogic CryptoComply and Bouncy Castle JSSE providers are loaded
  3. Provider priority - Ensures providers are in the correct order (CCJ at position 1, BCJSSE at position 2)
  4. FIPS-approved algorithms - Tests that FIPS-approved algorithms (AES, SHA-256, RSA) are available
  5. Non-FIPS algorithm blocking - Confirms non-FIPS algorithms (e.g., MD5) are correctly blocked

Basic verification

FIPS compliance test

You can verify FIPS compliance by creating a test program. For example, save the following code as the file TestFIPS.java:
TestFIPS.java
Compile and run the FIPS test:
Expected output:

Notes

  • FIPS compliance is enforced at runtime via Java security configurations
  • Applications must use FIPS-approved algorithms and keystore formats (BCFKS)
  • The Sun provider is included only for JAR signature validation and does not perform cryptographic operations
  • All cryptographic operations are routed through FIPS-validated providers (CCJ and BCJSSE)
  • The Java FIPS module requires specialized hardware. Learn more
Last modified on June 16, 2026