back to all blogsSee all blog posts

Support for FIPS 140-3 with IBM Semeru in 25.0.0.9-beta

image of author
Navaneeth S Nair on Aug 26, 2025
announcements , release , beta , security ,
Post available in languages:

Federal Information Processing Standards (FIPS) are standards and guidelines developed by the National Institute of Standards and Technology (NIST) for non-military U.S. government computer systems, contractors, and agencies. In this release, you can set up Liberty to comply with the FIPS 140-3 standard when you use certain IBM Semeru Runtimes JDKs.

See also previous Open Liberty beta blog posts.

FIPS 140-3 support on IBM Semeru

FIPS 140-3 is the latest version of the FIPS 140 standard, which provides a set of guidelines for cryptographic modules to ensure their security and integrity. Support for FIPS 140-3 was first introduced in Liberty with IBM JDK 8 in version 25.0.0.3. In this release, Open Liberty supports the FIPS 140-3 standard when using IBM Semeru Runtimes versions 11.0.27, 17.0.15, 21.0.7, or higher.

FIPS 140-3 is enabled when:

  • Security features utilizing cryptographic algorithms are used

  • FIPS 140-3 Semeru JVM properties are set

If you installed IBM Semeru Runtimes, you can enable FIPS 140-3 by setting the following system properties, for example in the jvm.options file:

-Dcom.ibm.ws.beta.edition=true
-Dsemeru.fips=true
-Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3

The OpenJCEPlusFIPS.FIPS140-3 profile is the strict security profile that is defined by IBM Semeru Runtimes, as outlined in the official documentation. This profile enforces the use of only FIPS 140-3 approved cryptographic algorithms, along with non-cryptographic algorithms that are either explicitly permitted or unrelated to the FIPS 140-3 specification.

Depending on your specific use case, you may need to apply additional constraints by creating an extension of the profile. For instance, if your application uses PKCS12 as the TLS certificate keystore and truststore, you will need to define a custom profile that includes support for PKCS12.

For more information about how to extend the strict profile to accommodate PKCS12-based configurations, see the PKCS12 and JKS Example section of the FIPS 140-3 cryptography solution in IBM Semeru Runtimes IBM support page.

To support functionality beyond the default OpenJCEPlusFIPS.FIPS140-3 profile, you must update your custom profile with additional constraints. Carefully review the constraints to ensure compliance with the FIPS 140-3 specification for your specific use case.

The following example shows how additional constraints have been added. The additional constraints allow for PKCS12 keystore usage and SHA-1 usage for the org.objectweb.asm.commons.SerialVersionUIDAdder and org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder classes. Your constraints may vary depending on your usage or services.

RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-myCustom.desc.name = My Custom OpenJCEPlusFIPS Cryptographic Module FIPS 140-3
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-myCustom.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-myCustom.jce.provider.2 = sun.security.provider.Sun [+ \
    {KeyStore, PKCS12, *, ModuleAndFullClassName:java.base/java.security.KeyStore}, \
    {MessageDigest, SHA-1, *, FullClassName:org.objectweb.asm.commons.SerialVersionUIDAdder}, \
    {MessageDigest, SHA-1, *, FullClassName:org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder}]
RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-myCustom.jce.provider.4 = com.sun.crypto.provider.SunJCE [ \
    {AlgorithmParameters, PBES2, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
    {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
    {SecretKeyFactory, PBEWithMD5AndDES, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
    {Cipher, PBEWithHmacSHA256AndAES_256, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}, \
    {Mac, HmacPBESHA256, *, ModuleAndFullClassName:java.base/sun.security.pkcs12.PKCS12KeyStore}]

A separate file is used to define the custom profile in the example, which is the recommended approach for creating extensions of profiles in IBM Semeru Runtimes.

To activate the custom profile, the file must be appended to the java.security configuration by using the -Djava.security.properties system property. The custom profile in this example is named OpenJCEPlusFIPS.FIPS140-3-myCustom and extends the strict OpenJCEPlusFIPS.FIPS140-3 profile.

The following jvm.options should be used to use the OpenJCEPlusFIPS.FIPS140-3-myCustom custom profile:

-Dcom.ibm.ws.beta.edition=true
-Dsemeru.fips=true
-Djava.security.properties=< path-to-your-customprofile-file >
-Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3-myCustom

For more information, see FIPS 140-3 cryptography solution in IBM Semeru Runtimes.

Try it now

To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8.

If you’re using Maven, you can install the All Beta Features package using:

<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.4</version>
    <configuration>
        <runtimeArtifact>
          <groupId>io.openliberty.beta</groupId>
          <artifactId>openliberty-runtime</artifactId>
          <version>25.0.0.9-beta</version>
          <type>zip</type>
        </runtimeArtifact>
    </configuration>
</plugin>

You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs:

<dependency>
    <groupId>org.example.spec</groupId>
    <artifactId>exampleApi</artifactId>
    <version>7.0</version>
    <type>pom</type>
    <scope>provided</scope>
</dependency>
<dependency>
    <groupId>example.platform</groupId>
    <artifactId>example.example-api</artifactId>
    <version>11.0.0</version>
    <scope>provided</scope>
</dependency>

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.4'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[25.0.0.9-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.