Because FIPS 140-2-compliant mode requires secure communication, you must provide arguments that indicate how the server should obtain the certificate chain, private key, and trusted certificate information that it should use during TLS negotiation.

  • Configure the server with appropriate key and trust stores during setup. Choose from:
    • If you have existing key and trust stores in the BCFKS format:
      • Use the --useBCFKSKeyStore and --useBCFKSTrustStore arguments to provide the paths to those stores.
      • Use either the --keyStorePassword or --keyStorePasswordFile argument to specify the PIN needed to access the contents of the key store.
      • Use either the --trustStorePassword or --trustStorePasswordFile argument to specify the PIN needed to access the contents of the trust store.
        Note:

        Unlike the JKS format, a PIN is always required when using a BCFKS key store, even if you don’t need to access the private key.

    • If you have PEM files containing the certificate chain and private key that you want to use to generate a new BCFKS key store:
      • Use the --certificateChainPEMFile and --certificatePrivateKeyPEMFile arguments to specify the paths to those files.
      • If you have PEM files containing trusted certificates that you want to include in a new BCFKS trust store, you can use the --trustedCertificatePEMFile argument to provide the paths to those files.
    • If the listener certificate chain and private key that you want to use reside in a PKCS #11 token:
      • Use the --usePKCS11KeyStore argument to enable that support.
      • If the Java virtual machine (JVM) has not been pre-configured with the necessary PKCS #11 provider, then use the --pkcs11ProviderConfigFile argument to specify the path to the necessary provider configuration file.
      • Use either the --keyStorePassword or --keyStorePasswordFile argument to specify the PIN needed to access the token.
    • If you want to have the server generate a self-signed certificate, which is convenient for testing or evaluation purposes but is not recommended for production environments, use the --generateSelfSignedCertificate argument.