Because FIPS 140-2-compliant mode requires secure communication, you must provide arguments that indicate how the server should obtain the certificate chain, private key, and trusted certificate information that it should use during TLS negotiation.
-
Configure the server with appropriate key and trust stores during setup. Choose
from:
- If you have existing key and trust stores in the BCFKS format:
- Use the
--useBCFKSKeyStore
and--useBCFKSTrustStore
arguments to provide the paths to those stores. - Use either the
--keyStorePassword
or--keyStorePasswordFile
argument to specify the PIN needed to access the contents of the key store. - Use either the
--trustStorePassword
or--trustStorePasswordFile
argument to specify the PIN needed to access the contents of the trust store.Note:Unlike the JKS format, a PIN is always required when using a BCFKS key store, even if you don’t need to access the private key.
- Use the
- If you have PEM files containing the certificate chain and private key
that you want to use to generate a new BCFKS key store:
- Use the
--certificateChainPEMFile
and--certificatePrivateKeyPEMFile
arguments to specify the paths to those files. - If you have PEM files containing trusted certificates that you want
to include in a new BCFKS trust store, you can use the
--trustedCertificatePEMFile
argument to provide the paths to those files.
- Use the
- If the listener certificate chain and private key that you want to use
reside in a PKCS #11 token:
- Use the
--usePKCS11KeyStore
argument to enable that support. - If the Java virtual machine (JVM) has not been pre-configured with
the necessary PKCS #11 provider, then use the
--pkcs11ProviderConfigFile
argument to specify the path to the necessary provider configuration file. - Use either the
--keyStorePassword
or--keyStorePasswordFile
argument to specify the PIN needed to access the token.
- Use the
- If you want to have the server generate a self-signed certificate, which
is convenient for testing or evaluation purposes but is not recommended for
production environments, use the
--generateSelfSignedCertificate
argument.
- If you have existing key and trust stores in the BCFKS format: