Installing the FIPS Client Driver for JDBC
Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS). Use this JDBC client driver to access systems that are FIPS-compatible. For more information on FIPS in Vertica, see Federal Information Processing Standard.
Implementing FIPS on a JDBC client requires a third-party JRE extension called BouncyCastle, a collection of APIs used for cryptography. Use BouncyCastle APIs with JDK 1.7 and 1.8, and a FIPS-compliant operating system that Vertica supports.
When using the JDBC FIPS-compliant client, expect some time lag for the client to connect efficiently and securely. If necessary, increase your system's entropy to ensure a fast and secure connection.
You need to add the FIPS BouncyCastle jar as the JVM JSSE provider, as follows:
- Download the BouncyCastle FIPS jar file
bc-fips-1.0.0.jar
from the BouncyCastle download page. -
Add
bc-fips-1.0.0.jar
as a JRE library extension:<path to jre>/lib/ext/bc-fips-1.0.0.jar
- Add BouncyCastle as an SSL security provider in
<path to jre>/lib/security/java.security
:security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastle FipsProvider
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPSsecurity.provider.3=sun.security.provider.Sun
- Use the following JVM java -D system property command arguments to set the KeyStore and TrustStore files to BCFIPS :
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStoreProvider=BCFIPS
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreProvider=BCFIPSFor information on setting the SSL Keystore and Truststore, see Configuring TLS for JDBC Clients.
- Set the default type for the KeyStore implementation to BCFKS in
:
<path to jre>/lib/security/java.securitykeystore type=BCFKS
ssl.keystore.type=BCFKS
If you are using FIPS with BouncyCastle, you must create all client keys and certificates with the BCFKS store type, including the Vertica–>Kafka key/certs.
- On the command line, run the following command from
<path to jre>/lib/ext
to create the keystore and truststore. Make sure you use the BCFKS type:$ <java bin path> keytool -keystore vertica.kafka.keystore.bcfks
-storetype BCFKS
-providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
- providerpath bc-fips-1.0.0.jar
-alias CARoot
-import -file (server.crt.der file path)
- Enter the keystore password when prompted. The following message appears:
"Certificate was added to the keystore"
- Run the Java program with SSL DB:
Copy the vertica.kafka.keystore.bcfks keyStore from
<path to jre>/lib/ext/
to the java program folder.Convert the Vertica server certificate to a form that java understands:
<java bin path>/keytool -keystore verticastore -keypasswd -storepass password -importkeystore -noprompt -alias verticasql -import -file server.crt.der
Download the latest vertica JDBC driver from the Vertica download page.
- After creation of verticastore, keyStore, and download jar, execute the following command to run Java with debugging to test the implementation:
$ java -Djavax.net.debug=ssl -Djavax.net.ssl.keyStore='vertica.kafka.keystore.bcfks'
-Djavax.net.ssl.keyStorePassword='password'
-Djavax.net.ssl.trustStore='<path to verticastore>/verticastore'
-Djavax.net.ssl.trustStorePassword='password'
-cp .:vertica-jdbc-8.1.0-0.jar FIPSTest