Configure the Apache™ Ant plugin for FIPS compliance

1 minute read

To build Apache™ Ant projects as part of the CloudBees Assurance Program (CAP), CloudBees CI includes the Ant plugin that contains features and pre-default configuration settings to build Apache Ant projects.

By default, the Apache Ant build uses the default JDK provided by the agent. To enable FIPS mode on the JDK installation of the Jenkins agent executing the build along with jvmargs, run the following Java arguments:

-Xbootclasspath/a:/usr/share/jenkins/fips/bc-fips.jar:/usr/share/jenkins/fips/bctls-fips.jar:/usr/share/jenkins/fips/bcpkix-fips.jar:/usr/share/jenkins/fips/fips-security-manager.jar -Dorg.bouncycastle.fips.approved_only=true -Djava.security.manager=com.cloudbees.cbci.fips_security_manager.FIPSSecurityManager -Djavax.net.ssl.trustStoreType=PKCS12 -Dcom.redhat.fips=false

jvmargs can be passed through as an ANT_OPT setting in the build.xml file, as a JAVA_OPT setting in the pipeline script if the job is a pipeline, or in the Invoke Ant build step if the job is a FreeStyle job.

CloudBees cannot guarantee FIPS 140-2 compliance of an external JDK, Apache Ant distribution, or any of the Ant plugins downloaded or used during the build.