Configuring FIPS Mode for the JDBC Driver and CData Virtuality Server

Overview

Federal Information Processing Standards (FIPS) mode ensures that all cryptographic operations used by the CData Virtuality Server and JDBC driver are performed using a FIPS-approved provider (for example, Bouncy Castle FIPS) and FIPS-compatible keystores such as BCFKS.

Enabling FIPS Mode on the Server

In dvserver-standalone.xml, locate the SSL transport configuration and add fips="enabled". In FIPS mode, the keystore referenced by this transport must be of type BCFKS.

Here is an example configuration:

<transport name="jdbc-ssl" protocol="teiid" socket-binding="dv-jdbc-ssl">
    <authentication security-domain="dv-security"/>
    <ssl mode="enabled" ssl-protocol="TLSv1.3" fips="enabled">
        <keystore name="../standalone/configuration/cdv_jdbc_server_bcfks.keystore" password="CDatavirtuality123!" type="bcfks" />
    </ssl>
</transport>

Key points:

• fips="enabled" turns on FIPS mode for this SSL transport;

• type="BCFKS" is mandatory in FIPS mode;

• When FIPS mode is enabled, the use of keystore types such as JKS or PKCS12 is not permitted and will cause the Server to fail at startup or to reject the configuration.

Enabling FIPS mode on the JDBC Driver

1. Enabling FIPS on the driver

On the JDBC driver side, FIPS mode is controlled with the following driver property:

fips = "enabled"

This means the following:

• FIPS disabled: the driver may use a configured JKS/PKCS12 truststore;

• FIPS enabled: the driver must use a truststore of type BCFKS.

2. Adding FIPS Bouncy Castle libraries to the client classpath

To run the JDBC driver in FIPS mode on the client, the corresponding FIPS Bouncy Castle libraries must be on the same classpath as the driver itself.

The following JAR files must be added together with the CData Virtuality JDBC driver:

• bc-fips-2.1.1.jar

• bctls-fips-2.1.20.jar

• bcpkix-fips-2.1.9.jar

• bcutil-fips-2.1.4.jar

On the CData Virtuality Server, these JARs are located in the following directory:

modules\system\layers\base\org\bouncycastle\bc-fips\main

You can copy them from this directory and place them alongside the JDBC driver JAR wherever your client tool or application expects libraries.

Third-party tool configuration (DBeaver example)

In DBeaver, the CData Virtuality JDBC driver definition must include the following:

• The CData Virtuality JDBC driver JAR;

• All four FIPS Bouncy Castle JARs listed above (bc-fips-2.1.1.jar, bctls-fips-2.1.20.jar, bcpkix-fips-2.1.9.jar, bcutil-fips-2.1.4.jar)

To configure FIPS in DBeaver, follow these steps:

1. Open Database → Driver Manager.

2. Select the CData Virtuality JDBC driver entry.

3. Open the Libraries tab.

4. Ensure the following entries are present:

   • The CData Virtuality JDBC driver JAR

   • bc-fips-2.1.1.jar

   • bctls-fips-2.1.20.jar

   • bcpkix-fips-2.1.9.jar

   • bcutil-fips-2.1.4.jar

5. Apply the changes and restart DBeaver if required.

Server BCFKS Keystore and Client Truststore (Self-signed Certificates)

When the Server runs in FIPS mode, it may use one of the following:

• A certificate issued by a public or corporate CA, or

• A self-signed certificate stored in the server’s BCFKS keystore.

If a self-signed certificate is used, the JDBC driver will not trust it by default. In this section, we cover the following topics:

• Creating the server BCFKS keystore (including conversion from JKS);

• Creating a client BCFKS truststore for self-signed certificates and configuring the driver to use it.

1. Creating a BCFKS keystore for the Server

The Server certificate and private key must be stored in a BCFKS keystore. You can create this with the JDK keytool and a FIPS provider such as FIPS Bouncy Castle.

Here is an example:

keytool -keystore cdv_jdbc_server_bcfks.keystore -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/bc-fips-2.1.1.jar -alias cdv_server -genkeypair -sigalg SHA512withRSA -keyalg RSA -keysize 3072 -storepass CDatavirtuality123! -dname CN=localhost -J-Djava.security.properties=./keystore-create.java.security -validity 36500

keysize must be more than 2048

If you already have a certificate in another keystore type (for example, JKS), you can export/import it into BCFKS.

Here is an example:

keytool -importkeystore -srckeystore cdv_jdbc_server_jks.keystore -srcstoretype JKS -srcstorepass CDatavirtuality123! -destkeystore cdv_jdbc_server_bcfks.keystore -deststoretype BCFKS -deststorepass CDatavirtuality123! -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /path/to/bc-fips-2.1.1.jar

After this, the Server should use cdv_jdbc_server_bcfks.keystore as its keystore in FIPS mode.

2. Creating a client BCFKS truststore for a self-signed Server certificate

If the Server is using a self-signed certificate, the JDBC driver must be configured with a truststore that explicitly trusts this certificate. The typical sequence is as follows:

1. Export the server’s self-signed certificate from the server keystore.

2. Create a BCFKS truststore on the client.

3. Import the server certificate into the client truststore.

Here is the conceptual keytool sequence:

# 1) Export the server certificate from the server keystore
keytool -exportcert -keystore cdv_jdbc_server_bcfks.keystore -storetype BCFKS -storepass CDatavirtuality123! -alias cdv_server -rfc -file cdvserver.crt

# 2) Create a BCFKS truststore and import the server certificate
keytool -importcert -keystore client-bcfks.truststore -storetype BCFKS -storepass CDatavirtuality123! -alias cdv_server -file cdvserver.crt -noprompt

3. Configuring the JDBC driver to use the BCFKS truststore

Once the client BCFKS truststore is created, configure the JDBC driver to use it when the fips property is set to enabled:

• fips="enabled" (driver property)

• Truststore path → the client-bcfks.truststore file

• Truststore type → BCFKS

• Truststore password → CDatavirtuality123! (or your chosen password)

Truststore parameters are set as Java system properties. For example, in DBeaver you should set them in the dbeaver.ini file like this:

-Dorg.teiid.ssl.trustStore=/path/to/client-bcfks.truststore
-Dorg.teiid.ssl.trustStorePassword=CDatavirtuality123!
-Dorg.teiid.ssl.keyStoreType=BCFKS

Now the driver will be able to validate the server’s self-signed certificate in FIPS mode.

TLS Protocol Version in FIPS Mode

1. Default TLS version with self-signed certificates

When using a self-signed certificate on the server side, the default TLS protocol version is TLSv1.2.

This means that, unless configured otherwise, the client–server connection will negotiate TLSv1.2 and select cipher suites from the TLSv1.2 set.

2. Forcing TLSv1.3 via Java system properties

If you want to use TLSv1.3 instead of TLSv1.2, you must specify the desired TLS protocol version via the org.teiid.ssl.protocol Java system property .

To force TLSv1.3, set the property as follows:

-Dorg.teiid.ssl.protocol=TLSv1.3

Once this property is set, the following will happen:

• The TLS handshake will use TLSv1.3;

• Only TLSv1.3 cipher suites supported by the underlying FIPS provider and JVM will be negotiated.

Example: configuring TLSv1.3 in DBeaver

For DBeaver, you can set the JVM system properties in the dbeaver.ini file.

To force TLSv1.3 for JDBC connections using this driver, add the following line to dbeaver.ini:

-Dorg.teiid.ssl.protocol=TLSv1.3

After restarting DBeaver, the following will happen:

• Connections using the JDBC driver with FIPS mode enabled will prefer TLSv1.3;

• Cipher suites will be chosen from the TLSv1.3 set according to the FIPS provider and JVM configuration.

Requirements and Behaviour Summary

1. Server side

• FIPS mode switch: fips="enabled" on the SSL transport in dvserver-standalone.xml;

• Keystore format: must be BCFKS;

• Non-BCFKS keystores (JKS, PKCS12, etc.) are not allowed when FIPS is enabled.

2. Driver side

• FIPS mode switch: driver connection property fips="enabled";

• Truststore format in FIPS mode: must be BCFKS;

• Self-signed server certificate:

  • The server certificate must be present in the client BCFKS truststore;

  • The driver must be explicitly configured to use that truststore.

3. Matrix

FIPS mode is available since v25.4