These notes are intended for advanced NiagaraAX developers only, and may be moved at a later date to another document with similar type content.

When developing code intended for use in a FIPS environment (station running in FIPS mode), you must take steps to ensure that no “non-FIPS compliant” cryptographic algorithms are used.

In order to simplify writing code for FIPS environments, we have made use of the JCA (Java Cryptography Architecture). In the JCA, security providers are added to or removed from the framework as needed. Different providers may implement different cryptographic algorithms, or they may provide different implementations of the same algorithms. Requests for specific algorithms are then made through the JCA.

For example, if an AES-256 cipher is needed, you can call:

Cipher cipher = Cipher.getInstance("AES256");

Although it is possible to use “Cipher cipher = Cipher.getInstance("AES256", "Entrust");” to request a cipher from a specific provider, this should almost never be used. Because we use different providers for FIPS-mode and non-FIPS mode, requesting a specific provider can result in code that only works in one environment.

In the JCA, security providers are ordered; when a request for an algorithm is made, the JCA goes through the ordered list of providers and returns the first implementation it finds. In our implementation of FIPS, we have ensured that the FIPS providers are always first in the list. Therefore, FIPS-compliant algorithms will always be selected when possible.

In addition, when running in FIPS mode, most non-FIPS algorithms have been stripped out from the security providers (exceptions are listed in the Disallowed Algorithms section). This ensures that any request for a non-FIPS algorithm will generate an exception, so that no non-FIPS cryptographic algorithm usages are inadvertently introduced.

When writing code for a FIPS environment, all cryptographic algorithms requests must go through the JCA. Also see Disallowed algorithms.