Interactive setup doesn't provide an option to enable FIPS 140-2-compliant mode, and there are currently no other supported providers that can be used to enable FIPS-compliant mode.
  • Add --fips-provider BCFIPS to the set of arguments used when running setup in non-interactive mode or to the server profile’s setup-arguments.txt file when using manage-profile setup.

    The following example provides a sample command line that demonstrates the process for setting up the server in FIPS 140-2-compliant mode. The server only accepts TLS-encrypted LDAP on port 636 and TLS-encrypted HTTP on port 443, but doesn't allow unencrypted connections from either LDAP or HTTP clients. BCFKS key and trust stores are generated from information provided in PEM files, and an encryption settings definition is generated from a specified passphrase.

    ./setup \
      --fips-provider BCFIPS \
      --no-prompt \
      --acceptLicense \
      --localHostName \
      --ldapsPort 636 \
      --httpsPort 443 \
      --baseDN "dc=example,dc=com" \
      --rootUserDN "cn=Directory Manager" \
      --rootUserPasswordFile /path/to/root-pw.txt \
      --maxHeapSize 2g \
      --primeDB \
      --sampleData 10001 \
      --certificateChainPEMFile /path/to/server-cert.pem \
      --certificateChainPEMFile /path/to/ca-cert.pem \
      --certificatePrivateKeyPEMFile /path/to/server-key.pem \
      --trustedCertificatePEMFile /path/to/ca-cert.pem \
      --encryptDataWithPassphraseFromFile /path/to/encryption-passphrase.txt \
      --instanceName ds1 \
      --location example-location \