20
Secure Operation of Crypto-J
RSA BSAFE Crypto-J 4.1 Security Policy
·
To operate the Crypto-J module in a FIPS 140-2 mode, set the
com.rsa.cryptoj.kat.strategy property to on.load.
More information on the algorithm strength and keysize is provided in the
RSA BSAFE Crypto-J 4.1 Release Notes.
Crypto-J users should take care to zeroize CSPs when they are no longer needed. For
more information on clearing sensitive data, see Clearing Sensitive Data in the
RSA BSAFE Crypto-J 4.1 Developer's Guide.
3.2 Crypto Officer Guidance
The Crypto Officer is responsible for installing the toolkit. Installation instructions are
provided in the RSA BSAFE Crypto-J 4.1 Installation Guide.
3.3 Role Changes
If a user of Crypto-J needs to operate the toolkit in different roles, then the user must
ensure that all instantiated cryptographic objects are destroyed before changing from
the Crypto User role to the Crypto Officer role, or unexpected results could occur.
3.4 Operating the Cryptographic Module
The Cryptographic Module operates in FIPS140_MODE by default for the FIPS 140
Crypto-J toolkit variant. The initial mode can be configured through the use of the
fips140initialmode property. See the RSA BSAFE Crypto-J 4.1 Installation Guide for
details on how to set this property. If the property is not set, then the default mode
FIPS140_MODE is used. The current mode of the cryptographic module can be
determined with a call to the CryptoJ.getMode() method. The mode of the
cryptographic module can be changed by using the function CryptoJ.setMode()
When changing to an approved mode of operation, the toolkit causes the power-up
self-tests to run.
After setting the cryptographic module into a FIPS approved mode, the Cryptographic
are available to operators. To disable FIPS mode, call the CryptoJ.setMode()
method with the mode identifier NON_FIPS140_MODE.
The Service CryptoJ.runSelfTests() is restricted to operation by the Crypto
Officer.