SCOPE

This file contains the steps necessary to install the jars to support
FIPS 140-2 cryptographic provider in the Oracle database.

SUMMARY

javavm/install/install_fips.sql will install the FIPS classes in the OJVM.

javavm/install/deinstall_fips.sql will remove the FIPS classes from the OJVM

Security.insertProviderAt() is used to enable FIPS execution
in the desired application.

DETAILS

JARS
The following jars will be loaded into the database:

$ORACLE_HOME/jlib/cryptojce.jar
$ORACLE_HOME/jlib/cryptojcommon.jar
$ORACLE_HOME/jlib/jcmFIPS.jar
$ORACLE_HOME/jlib/osdt_cert.jar 
$ORACLE_HOME/jlib/osdt_core.jar 
$ORACLE_HOME/jlib/oraclepki.jar

ENABLING FIPS

The following JAVA code is required to enable FIPS in the applicable
application. It must be called  before any cryptographic methods are called.

Security.insertProviderAt(new com.rsa.jsafe.provider.JsafeJCE(), 1);

The above methods will make JsafeJCE the preferred crypto provider for the
application.

For non-SYS users the following permission is required to allow 
Security.insertProviderAt() to execute:

call dbms_java.grant_permission( '<schema_name>', 'SYS:java.security.SecurityPermission', 'insertProvider', '' );

<schema_name> is the name of the schema calling the FIPS application.


LOADING SCRIPTS

$ORACLE_HOME/javavm/install/install_fips.sql grants read permission on
jcmFIPS.jar to enable FIPS jar verification for the provider. Next the
FIPS jars $ORACLE_HOME/jlib/cryptojce.jar,
$ORACLE_HOME/jlib/crtpyojcommon.jar, and $ORACLE_HOME/jlib/jcmFIPS.jar
are loaded and PUBLIC synonyms created. The jars $ORACLE_HOME/jlib/osdt_cert.jar, $ORACLE_HOME/jlib/osdt_core.jar, and $ORACLE_HOME/jlib/oraclepki.jar are 
loaded last to support SSO wallets.

LOADING CONSIDERATIONS

This section will discuss how the loading process should typically be
performed and will also provide for some special considerations.

TYPICAL LOADING SCENARIO

All scripts must be run as SYS.

NON-CDB

run the script $ORACLE_HOME/javavm/install/install_fips.sql as SYS.

CDB 

To install the components in all containers use the following:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspasswd> -b install_fips -d $ORACLE_HOME/javavm/install install_fips.sql


The log files created will be of the form install_fips[01..].log.
Logs should be checked for errors.

INSTALL IN SPECIFIC PDBS:

The procedure is similar to above but instead the -c option is used to
only load in certain PDBS.

To load into only PDB1:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspasswd> -c 'CDB$ROOT PDB1' -b install_fips -d $ORACLE_HOME/javavm/install install_fips.sql

DEINSTALL

NON-CDB

run the script $ORACLE_HOME/javavm/install/deistall_fips.sql as SYS.

CDB

The following process can be used to deinstall the FIPS classes and resources:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspasswd> -b deinstall_fips -d $ORACLE_HOME/javavm/install deinstall_fips.sql

The log files created will be of the form deinstall_fips[01..].log.
Logs should be checked for errors.

DEINSTALL IN SPECIFIC PDB's

If FIPS 140 is configured in PDB1:

$ORACLE_HOME/rdbms/admin/catcon.pl -u sys/<syspasswd> -c 'PDB1' -b deinstall_fips -d $ORACLE_HOME/javavm/install deinstall_fips.sql

NOTE: To remove FIPS completely in the OJVM add CDB$ROOT to the -c list above.
