Installing the FIPS client driver for JDBC

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS).

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS). Use this JDBC client driver to access systems that are FIPS-compatible. For more information on FIPS, see Federal information processing standard.

Implementing FIPS on a JDBC client requires a third-party JRE extension called BouncyCastle, a collection of APIs used for cryptography. Use BouncyCastle APIs with JDK 1.7 and 1.8, and a supported FIPS-compliant operating system.

Important

When using the JDBC FIPS-compliant client, expect a slight delay for the client to establish a secure connection with the database. If necessary, increase your system's entropy to ensure a fast and secure connection.

The following procedure adds the FIPS BouncyCastle .jar as a JVM JSSE provider:

Download the BouncyCastle FIPS .jar file bc-fips-1.0.0.jar.
Add bc-fips-1.0.0.jar as a JRE library extension:
```
path/to/jre/lib/ext/bc-fips-1.0.0.jar
```

Add BouncyCastle as an SSL security provider in <path to jre>/lib/security/java.security:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastle FipsProvider
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=sun.security.provider.Sun

Use the following JVM java -D system property command arguments to set the KeyStore and TrustStore files to BCFIPS:

export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStoreProvider=BCFIPS
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreProvider=BCFIPS

Set the default type for the KeyStore implementation to BCFKS in path/to/jre/lib/security/java.security:
```
keystore type=BCFKS
ssl.keystore.type=BCFKS
```
Note
If you are using FIPS with BouncyCastle, you must create all client keys and certificates with the BCFKS store type, including the Vertica-to-Kafka keys and certificates.

Create the BCFKS-type keystore and truststore:

cd path/to/jre
-storetype BCFKS
-providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-providerpath bc-fips-1.0.0.jar
-alias CARoot
-import -file path/to/server.crt.der

When prompted, enter the keystore password. The following message is displayed to confirm that a certificate was added to the keystore:
```
"Certificate was added to the keystore"
```
Run the Java program with SSL DB:
1. Copy the vertica.kafka.keystore.bcfks keyStore from path/to/jre/lib/ext/ to the Java program folder.
2. Convert the Vertica server certificate to a form that Java understands:
```
$ path/to/java/bin/keytool -keystore verticastore -keypasswd -storepass password
                        -importkeystore -noprompt -alias verticasql -import -file server.crt.der
```
3. Install JDBC.

Test the implementation:

$ java -Djavax.net.debug=ssl -Djavax.net.ssl.keyStore='vertica.kafka.keystore.bcfks'
-Djavax.net.ssl.keyStorePassword='password'
-Djavax.net.ssl.trustStore='path/to/verticastore'
-Djavax.net.ssl.trustStorePassword='password'
-cp .:vertica-jdbc-12.0.0-0.jar FIPSTest