Aaron Warner · cee5066c
--- a/Dockerfile

+ 6

− 3
+++ b/Dockerfile

+ 6

− 3
 @@ -12,6 +12,12 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 # We want UTF-8 and this is the only locale in the base image that supports it
 ENV LANG="C.UTF-8"

+# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
+# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
+ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
+ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
+ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS
+
 # Set the classpath for JARs required by `cub`
 ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'

 @@ -57,9 +63,6 @@ RUN echo "===> dnf installs" \
        && chown appuser:appuser -R /usr/logs \
    && dnfupdate 
    
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
-RUN update-crypto-policies --set FIPS 
-
 # Disable setuid/setgid bits
 RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
 RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true