GhostProgrammer - Jeff Miller

Team to Create Outside the Box

Docker

FIPS JDK 21 Image

ByJeffery Miller

Jul 12, 2024 #java

Warning: Use FIPS Instructions at Your Own Risk

The provided Dockerfile and instructions are intended to assist in creating a FIPS-compliant environment for your Spring Boot application. However, achieving and maintaining FIPS compliance is a complex process with potential legal and security implications.

By following these instructions, you acknowledge and accept the following:

  • No Guarantee of Compliance: While these instructions aim to facilitate FIPS compliance, we cannot guarantee that your final configuration will meet all FIPS requirements. Compliance depends on various factors, including your application’s code, third-party libraries, and the specific FIPS mode you are aiming for.
  • Thorough Testing Required: It is your responsibility to rigorously test your application in the FIPS-enabled environment to ensure it functions correctly and adheres to FIPS standards.
  • Consult Experts: If you have any doubts or questions regarding FIPS compliance, it is strongly recommended to seek guidance from qualified security professionals or legal counsel.
  • Liability Disclaimer: We disclaim any liability for issues, damages, or non-compliance arising from the use of these instructions. You are solely responsible for ensuring your application and environment meet all necessary FIPS requirements.

Proceed with Caution: FIPS compliance is a serious undertaking. Use these instructions as a starting point, but always prioritize thorough testing and expert consultation to ensure your application meets the necessary security standards.

Here’s a Dockerfile tailored for your FIPS-compliant Spring Boot application with JDK 21, along with explanations:

# FIPS-Compliant Base Image
FROM redhat/ubi9-minimal:9.2-814 # FIPS-validated Red Hat Universal Base Image

# Install Required Packages and JDK 21
RUN microdnf install -y --nodocs \
    java-21-openjdk-headless \
    openssl-libs-fips \
    && microdnf clean all \
    && sed -i 's/securerandom=drng/securerandom=drng_fips/g' /etc/crypto-policies/back-ends/openjdk.config \
    && update-crypto-policies --set FIPS

# Enable FIPS Mode
ENV OPENSSL_CONF=/etc/pki/tls/openssl.cnf

# Application User
RUN groupadd -r spring && useradd -r -g spring spring

# Set Working Directory
USER spring
WORKDIR /home/spring

# Copy Application JAR
COPY --chown=spring:spring target/your-spring-boot-app.jar app.jar

# Expose Port (Change if needed)
EXPOSE 8080

# Run Application
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "app.jar"]

Key Points & Explanation:

  • FIPS-validated Base Image:
    • We start with redhat/ubi9-minimal:9.2-814, a Red Hat Universal Base Image that’s FIPS-validated. This ensures a secure foundation for our container.
  • FIPS-Compliant JDK 21:
    • We install the java-21-openjdk-headless package, which provides the FIPS-compliant JDK 21. The -headless option is used for server-side applications.
  • OpenSSL FIPS Module:
    • We include the openssl-libs-fips package for FIPS-validated cryptographic operations.
  • Enable FIPS Mode:
    • The sed command modifies the openjdk.config file to use the FIPS-compliant DRNG (Deterministic Random Number Generator), and update-crypto-policies sets the system-wide cryptographic policy to FIPS. We also set the OPENSSL_CONF environment variable to the FIPS-compliant OpenSSL configuration file.
  • Security Best Practices:
    • An unprivileged spring user is created and used to run the application, enhancing security.
    • The -Djava.security.egd=file:/dev/./urandom option is added to improve the startup time of Spring Boot applications.
  • Customization:
    • Replace your-spring-boot-app.jar with the actual name of your Spring Boot JAR file.
    • If your application uses a different port than 8080, modify the EXPOSE instruction accordingly.

Build & Run:

  1. Build Image:

    docker build -t my-fips-spring-app .

  2. Run Container:

    docker run -p 8080:8080 my-fips-spring-app

Important Considerations:

  • FIPS Certification: Make sure your Spring Boot application itself is designed to be FIPS-compliant. If it uses any external libraries or components, ensure they’re also FIPS-certified or compatible.
  • Testing: Thoroughly test your application in the Docker container to verify that FIPS mode is working correctly and that all functionalities are behaving as expected.

Discover more from GhostProgrammer - Jeff Miller

Subscribe to get the latest posts sent to your email.

By Jeffery Miller

I am known for being able to quickly decipher difficult problems to assist development teams in producing a solution. I have been called upon to be the Team Lead for multiple large-scale projects. I have a keen interest in learning new technologies, always ready for a new challenge.

Related Post

Docker

The S3 Local Dev Trick: Using MinIO to Simplify Cloud-Native Developmen

Aug 25, 2025 Jeffery Miller
Docker

Docker Networking 101

May 12, 2016 Jeffery Miller
Docker

Docker Basics 101

May 10, 2016 Jeffery Miller

You missed

Uncategorized

Spring Boot 4.0: What’s Next for the Modern Java Architect?

September 24, 2025 Jeffery Miller
Spring Discovery

Monitoring Microservices Health with Spring Discovery Client and Actuator

September 22, 2025 Jeffery Miller
Spring Discovery

Service Discovery with Spring Cloud Discovery Eureka

September 22, 2025 Jeffery Miller
JAVA

Level Up Your Testing: Structuring Unit Tests with Subclasses

September 22, 2025 Jeffery Miller