[BUG] Security provider should not be forcibly removed due to a Bouncy Castle property

[terryquigleysas]

Security providers should not be removed due to a Bouncy Castle property.

For example, it is possible to configure Bouncy Castle FIPS libraries and the restricted Sun JCE in RHEL OpenJDK 21 in FIPS mode https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html-single/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/index#about-fips

This code can prevent the valid use of org.bouncycastle.fips.approved_only

OpenSearch/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java

Lines 200 to 202 in 31aaff3

	if ("FIPS-140-3".equals(cryptoStandard) || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"))) {
	LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode");
	SecurityProviderManager.removeNonCompliantFipsProviders();

The check for org.bouncycastle.fips.approved_only here should be removed.

There is also an argument that the provider should not be removed at all, but honored if configured in the Java security file (rightly or wrongly). However, if an environment variable is desirable for enforcing strict requirements I propose adding a crypto standard of "FIPS-140-3-STRICT" or similar.

Initial discussion under #18921 (comment)