Installing the FIPS client driver for JDBC

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS).

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS). Use this JDBC client driver to access systems that are FIPS-compatible. For more information on FIPS, see Federal information processing standard.

Implementing FIPS on a JDBC client requires a third-party JRE extension called BouncyCastle, a collection of APIs used for cryptography. Use BouncyCastle APIs with JDK 1.7 and 1.8, and a supported FIPS-compliant operating system.

The following procedure adds the FIPS BouncyCastle .jar as a JVM JSSE provider:

  1. Download the BouncyCastle FIPS .jar file bc-fips-1.0.0.jar.

  2. Add bc-fips-1.0.0.jar as a JRE library extension:

  3. Add BouncyCastle as an SSL security provider in <path to jre>/lib/security/

    security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastle FipsProvider BCFIPS
  4. Use the following JVM java -D system property command arguments to set the KeyStore and TrustStore files to BCFIPS:

    export JAVA_OPTS="$JAVA_OPTS
    export JAVA_OPTS="$JAVA_OPTS
  5. Set the default type for the KeyStore implementation to BCFKS in path/to/jre/lib/security/

    keystore type=BCFKS
  6. Create the BCFKS-type keystore and truststore:

    cd path/to/jre
    -storetype BCFKS
    -providername BCFIPS
    -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
    -providerpath bc-fips-1.0.0.jar
    -alias CARoot
    -import -file path/to/server.crt.der
  7. When prompted, enter the keystore password. The following message is displayed to confirm that a certificate was added to the keystore:

    "Certificate was added to the keystore"
  8. Run the Java program with SSL DB:

    1. Copy the vertica.kafka.keystore.bcfks keyStore from path/to/jre/lib/ext/ to the Java program folder.

    2. Convert the Vertica server certificate to a form that Java understands:

      $ path/to/java/bin/keytool -keystore verticastore -keypasswd -storepass password
                              -importkeystore -noprompt -alias verticasql -import -file server.crt.der
    3. Install JDBC.

  9. Test the implementation:

    $ java'vertica.kafka.keystore.bcfks''password''path/to/verticastore''password'
    -cp .:vertica-jdbc-12.0.0-0.jar FIPSTest