Enabling FIPS for Connector Gateway

FIPS stands for the Federal Information Processing Standards. These standards were developed by the U.S. Federal Government and are mandatory for non-military federal government agencies, contractors, and vendors. They are also used by the private sector on a voluntary basis.

In the deployment directory (the folder location where the ConnectorGateway.jar file executes), add the required bouncycastle.jar files.

Download and add the following latest jar files from bouncycastle.org:
- bc-fips-*.jar
- bctls-fips-*.jar
- bcpkix-fips-*.jar
In the init.xml file:
- Set the value of enableFIPS to true
- If mutual TLS is enabled between the Connector Gateway and PE2, provide the encrypted value of trustStorePasswordPE2TLSAuth using the following command:
  
  java -jar ConnectorGateway.jar - trustStorePasswordPE2TLSAuth “password”
- Enter the encrypted value of trustStorePassword
  
  To add the encrypted value of trustStorePassword to the init.xml file, you must use the following command:
  
  java -jar ConnectorGateway.jar -trustStorePassword <Value>
- Enter the keystore and truststore paths
- Make any other parameter configurations as required
Note

The keystore and truststore must be in BCFKS format. The following is the sample command to create new BCFKS keystore from an existing JKS keystore:

keytool -importkeystore -srckeystore <source_keystore> -srcstoretype JKS -srcstorepass <src keystore password> -destkeystore <new keystore name> -deststoretype BCFKS -deststorepass <new keystore password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar

The following is a sample command to create a new keystore of BCFKS type:

keytool -genkey -alias <anything> -keystore <keystorename>.bcfks -storepass <password> -storetype BCFKS -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar
Modify the java security file to add the bouncycastle provider to the beginning. Then change the priority of the rest of the providers:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{ALL}

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
Override the classpath to the deployment folder and run the connector gateway .jar file as shown from the deployment folder:

java -cp ./* sailpoint.router.common.Main
To view the debug SSL logs, run the Connector Gateway using the following command:

java -Djava.security.debug=all -Djavax.net.debug=SSL -cp ./* sailpoint.router.common.Main

Note
The Connector Gateway may take a while to initialize and synchronize with the Mainframe. If you select Test Connection while this is in process, you may get errors from the Mainframe. Wait for Connector Gateway to initialize and connect to Agent before selecting testing the connection.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Enabling FIPS for Connector Gateway

Documentation Feedback