Announcing Kernel-Independent FIPS for Java

Today, we’re excited to announce that Kernel-Independent FIPS is now available across the full catalog of Chainguard FIPS images for Java. This improvement significantly simplifies production deployments and simplifies and accelerates achieving FedRAMP authorization to operate (ATO) by ensuring that all Java FIPS images are using FIPS-validated cryptography, in approved-only mode with access to full entropy for long-lived secrets and key generation.

This new improvement also enables you to run FIPS Java workloads with any host kernel, including FIPS and up-to-date non-FIPS mode capable kernels, as well as the ability to run production FIPS Java workloads on GKE with COS, Amazon Bottlerocket, Flatcar Linux, Azure Linux, and more. It additionally includes all existing flavors of Linux, with full guarantees of entropy quality for secret generation.

What is FIPS?

Federal Information Processing Standards (FIPS) are publicly available standards created by the National Institute of Standards and Technology (NIST) under the authority of the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. Compliance with FIPS ensures that cryptographic security functions within software applications meet rigorous requirements for security and integrity, and that they are both properly implemented and correctly configured.

Cryptographic protection relies on the secure implementation of a trusted algorithm and a random bit generator that cannot be reasonably predicted at any greater accuracy than random chance. To certify these implementations, NIST operates a cryptographic certification program called the Cryptographic Module Validation Program (CMVP). CMVP validates that implementation is compliant with the relevant standards below.

• For algorithm implementation, CMVP requires strict FIPS compliance. Thus, FIPS modules must sit inside a self-verified cryptographic boundary. 

• For random bit generators, CMVP requires strict compliance with SP 800-90B recommendations through entropy validation and permits entropy sources to sit either inside or outside the FIPS cryptographic boundary.

SP 800-90B-Validated Userspace Entropy to Java FIPS Images

Last year, we announced general availability of Kernel-Independent FIPS Container Images containing FIPS validated Chainguard provider for OpenSSL with a validated userspace entropy source to the SP 800-90B standard. Now, we’ve introduced this capability to Java.

When we made our initial announcement last year, this design was not available for Java-based images, and they continued to rely on the kernel entropy source provided by the host operating system. An identical design has now been implemented by Keyfactor, who have obtained entropy source validation for the Bouncy Castle Entropy Provider. After extensive testing, Chainguard has now integrated this userspace entropy source for Java across all our Java FIPS images. This further increases portability of Chainguard FIPS images for Java, and in some cases improves performance.

Updated Chainguard FIPS images for Java are configured by default with the Bouncy Castle Entropy Provider, which is powered by the SP 800-90B-validated Jitterentropy library. It produces full entropy in userspace using CPU jitter noise data and a SHA3 conditioning function. If desired, an optional configuration file is provided to switch back to the Sun provider, which instead uses the kernel entropy source provided by the host operating system.

Chainguard’s Kernel-Independent FIPS Offerings for Java

For the Java Development Kit (JDK) and Java Runtime Environment (JRE) choices, the following variants are available:

• OpenJDK FIPS 11, 17, 21 (jdk, jre)

• Adoptium JDK FIPS 11, 17, 21 (jdk, jre)

• Amazon Corretto FIPS 11, 17, 21 (jdk, jre)

• Liberica FIPS 17, 21 (jdk, jre)

• Tomcat FIPS 9, 10 with JDK combinations 11, 17, 21

All native code is compiled with the latest GCC toolchain optimizations and a full set of OpenSSF-recommended hardening flags for additional protection and security of the Java Virtual Machine (JVM). Container registry disk space use is optimized across all image variants with reproducible smart deduplicated multi layering, reducing overall traffic and storage costs.

The following Java build tools operating in FIPS-approved mode to aid with CI/CD Java FIPS applications are also available:

• Ant FIPS

• Gradle FIPS

• Maven FIPS

• SBT FIPS

• Renovate FIPS

We also updated a number of popular applications with FIPS support:

• AKHQ FIPS

• Apache Cassandra FIPS

• Keycloak FIPS

• Keycloak Operator FIPS

• Apache Spark FIPS

• Apache Spark Operator FIPS

• Nextflow FIPS

• Apache Zookeeper FIPS

These images are all available as standalone minimal distroless container images. We’ve also developed several other features to support your organization’s unique development needs, including First-Party Helm Charts, Custom Assembly, EOL Grace Period, and more.  And to help developers extend above applications and write their own, you can use Chainguard Libraries for Java, our Maven repository of Java libraries built from source and without any malware content.

Large Java workloads can require bare-metal performance with exclusive use of all system resources. To address the needs of large production deployments, we are also offering early access to Chainguard VMs, with kernel-independent FIPS for Java available to deploy on Amazon AWS EC2, Google Cloud Compute Engine, and Microsoft Azure. Complete our registration form to get access to Chainguard VMs with kernel-independent FIPS for Java and try it out for yourself.

The Chainguard portfolio of products continues to grow and support the diverse needs and requirements of deploying Java applications, with zero CVEs, FIPS-validated cryptography, and now, always with full entropy. Get in touch with our team if you are interested in learning more.