How to Setup OpenDJ with BCFKS FIPS Key Store Type support - OpenIdentityPlatform/OpenDJ GitHub Wiki

1. Prepare server with DISA STIG profile (RHEL 8.5>)

2. Generate BCFKS FIPS compatible keystore

cat > /tmp/opendj.keystore.pin
Password
EOF

keytool -genkey -alias server-cert -keyalg rsa -dname "CN=example.com,O=OpenDJ RSA Self-Signed Certificate" \
 -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 -providername BCFIPS \
 -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar \
 -keypass:file /tmp/opendj.keystore.pin -storepass:file /tmp/opendj.keystore.pin \
 -keysize 2048 -sigalg SHA256WITHRSA

keytool -selfcert -alias server-cert -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 \
 -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar -storepass:file /tmp/opendj.keystore.pin

keytool -genkey -alias admin-cert -keyalg rsa -dname "CN=example.com,O=Administration Connector RSA Self-Signed Certificate" \
 -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 -providername BCFIPS \
 -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar \
 -keypass:file /tmp/opendj.keystore.pin -storepass:file /tmp/opendj.keystore.pin \
 -keysize 2048 -sigalg SHA256WITHRSA

keytool -selfcert -alias admin-cert -keystore /etc/certs/opendj.bcfks -storetype BCFKS -validity 3650 \
 -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath /tmp/libs/bc-fips-1.0.2.3.jar:/tmp/libs/bcpkix-fips-1.0.7.jar -storepass:file /tmp/opendj.keystore.pin

Check keystore

keytool -list -storetype BCFKS -providername BCFIPS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /tmp/libs/bc-fips-1.0.2.1.jar:/tmp/libs/bcpkix-fips-1.0.5.jar -keystore /etc/certs/opendj.bcfks -storepass:file /tmp/opendj.keystore.pin
Output:
Keystore type: BCFKS
Keystore provider: BCFIPS
admin-cert, Sep 20, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 0D:62:B3:85:7C:58:27:4F:00:D3:68:DE:83:50:92:C8:DB:5F:0D:81:4D:14:77:47:C6:C2:D2:B1:05:D2:CB:B0
server-cert, Sep 20, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): B4:BC:55:1F:48:28:43:19:0F:0D:D8:06:F8:53:A5:AE:40:B1:EC:DE:99:0C:E4:F1:2E:F7:3D:56:14:ED:BA:F7

Your keystore contains 2 entries

10:55:35 04/15/22 Running: /opt/opendj/setup --no-prompt --cli --propertiesFilePath /opt/opendj/opendj-setup.properties.bcfks --acceptLicense --doNotStart

3. Prepare OpenDJ setup properties

...
useBcfksKeystore                =/etc/certs/opendj.bcfks
keyStorePasswordFile            =/tmp/opendj.keystore.pin
...

4. Run OpenDJ setup

/opt/opendj/setup --no-prompt --cli --propertiesFilePath /opt/opendj/opendj-setup.properties.bcfks --acceptLicense --doNotStart

In order to run OpenDJ tools we need to specify additional parameters: --trustStorePath /opt/opendj/config/admin-truststore --trustStorePasswordFile /opt/opendj/config/keystore.pin

In order to use OpenDJ tools without additional parameters we can import OpenDJ trustore into sysatem PKCS11 trustore

keytool -importkeystore -destkeystore NONE -deststoretype PKCS11 -deststorepass changeit -srckeystore /opt/opendj/config/truststore -srcstoretype JKS -srcstorepass:file /opt/opendj/config/keystore.pin -noprompt