Sonatype Lifecycle FIPS 140-3 Compliance
This guide provides instructions for enabling FIPS compliance in Sonatype Lifecycle on-premises deployments.
Federal Information Processing Standards (FIPS) Compliance
Federal Information Processing Standards (FIPS) 140-3 are U.S. government cybersecurity standards that define security requirements for cryptographic modules. FIPS compliance ensures that a product uses only FIPS-validated algorithms and modules, which is a requirement for many federal agencies and is also widely adopted in regulated industries.
Sonatype Lifecycle achieves FIPS compliance by leveraging the Bouncy Castle FIPS-certified API (BCFIPS) for all cryptographic operations when running in FIPS mode. Standard Lifecycle uses Java providers and the non-FIPS Bouncy Castle API.
Overview
Sonatype Lifecycle can operate in either standard mode or FIPS-compliant mode. In standard mode, it uses Java’s built-in cryptographic providers together with the Bouncy Castle standard API. In FIPS-compliant mode, it relies on the Bouncy Castle FIPS-certified API to perform all cryptographic operations in accordance with FIPS 140-3 standards.
FIPS-compliant Lifecycle is currently available only for new on-premises installations. While FIPS is technically a mode that can be enabled or disabled, existing standard Lifecycle deployments cannot be converted to FIPS mode. Customers must decide whether to deploy in standard mode or FIPS mode at the time of installation.
Prerequisites
Before enabling FIPS mode in Sonatype Lifecycle, ensure the following:
A valid FIPS-compatible Lifecycle license from Sonatype.
A FIPS-compliant operating system (e.g., RHEL, Fedora).
Ensure that the PostgreSQL administrator account used by Lifecycle is secured with a secure password.
Lifecycle IQ server version 195 or higher (minimum supported version for FIPS).
Enabling or Disabling FIPS Mode
Enable FIPS mode
To enable FIPS mode, set the environment variable to true:
FIPS_MODE_ENABLED=true
Disable FIPS mode
To disable FIPS mode, set the environment variable to false:
FIPS_MODE_ENABLED=false
Considerations
Lifecycle FIPS is designed for new installations only. It is important to understand the following limitations before enabling FIPS mode:
FIPS mode is supported only for new deployments of Sonatype Lifecycle from version 195 and beyond.
Existing configurations (such as SCM connections, user tokens, and related settings) from standard Lifecycle are not compatible with FIPS mode. Likewise, FIPS mode configurations cannot be used in standard Lifecycle.
While FIPS is technically a configurable mode within Lifecycle (it can be enabled or disabled at the environment level), there is currently no supported migration path from a standard Lifecycle deployment to FIPS mode.
Customers must decide whether to use FIPS mode or standard mode at the time of installation. Once a deployment is set up in FIPS mode, it cannot be converted back to standard mode, and standard installations cannot be converted into FIPS mode.
Summary of Key Differences
The following functions differ between FIPS and non-FIPS Lifecycle:
Category | FIPS Mode | Non-FIPS Mode |
|---|---|---|
Email Processing | SSL Enabled option unavailable | SSL Enabled option available |
Encryption Algorithm | AES/GCM/NoPadding | AES/CBC/PKCS5Padding |
HMAC |
|
|
Hashing Algorithm |
|
|
Keystore Type |
|
|
Certificates | X.509 v3 | X.509 v1 |