Index | Prev | Next

Developers notes

These notes and troubleshooting tips are intended for advanced Niagara developers only.

When developing code intended for use in a FIPS 140-2 environment (a station running in FIPS mode), make sure that you use only FIPS-compliant cryptographic algorithms.

JCA (Java Cryptography Architecture) simplifies writing code for FIPS 140-2 environments. Using JCA you can add or remove security providers as needed. Different providers may implement different cryptographic algorithms, or they may provide different implementations of the same algorithm. Programs request specific algorithms through the JCA. For example, this line of code calls an AES-256 cipher: 

Cipher cipher = Cipher.getInstance("AES256");

Although, to request a cipher from a specific provider you could use:

Cipher cipher = Cipher.getInstance("AES256", "BCFIPS");

You should avoid this type of call because FIPS mode and non-FIPS mode-compliant algorithms use different providers. Requesting a specific provider results in code that only works in one environment.

The JCA arranges security providers in a given order. When a program requests an algorithm, the JCA goes through the ordered list of providers and returns the first implementation it finds. In Niagara, the FIPS 140-2providers are always first in the list, which ensures, when possible, that the JCA always selects a FIPS-compliant algorithm.

In addition, with some exceptions, FIPS mode removes non-FIPS algorithms from the security providers list. This ensures that requests, which inadvertently introduce a non-FIPS algorithm, generate an exception.

Related Links

  • Non-FIPS-compliant algorithms
  • Cannot run the platform using Windows Supervisor in FIPS mode
  • Cannot copy station in FIPS mode
  • High CPU usage in mixed FIPS/non-FIPS environment
  • Cannot connect to platform after commissioning to FIPS mode
  • Host not licensed for FIPS mode

    • Index | Prev | Next