opensearch-project · beanuwave · Aug 5, 2025 · Aug 6, 2025 · Aug 14, 2025 · Aug 14, 2025
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add pluggable gRPC interceptors with explicit ordering([#19005](https://github.com/opensearch-project/OpenSearch/pull/19005))
 - Add metrics for the merged segment warmer feature ([#18929](https://github.com/opensearch-project/OpenSearch/pull/18929))
 - Add pointer based lag metric in pull-based ingestion ([#19635](https://github.com/opensearch-project/OpenSearch/pull/19635))
+- Add build-tooling to run in FIPS environment ([#18921](https://github.com/opensearch-project/OpenSearch/pull/18921))
 
 ### Changed
 - Faster `terms` query creation for `keyword` field with index and docValues enabled ([#19350](https://github.com/opensearch-project/OpenSearch/pull/19350))

@@ -71,6 +71,11 @@ apply from: 'gradle/run.gradle'
 apply from: 'gradle/missing-javadoc.gradle'
 apply from: 'gradle/code-coverage.gradle'
 
+// Apply FIPS configuration to all projects
+allprojects {
+  apply from: "$rootDir/gradle/fips.gradle"
+}
+
 // common maven publishing configuration
 allprojects {
   group = 'org.opensearch'
@@ -421,8 +426,12 @@ gradle.projectsEvaluated {
           dependsOn(project(':libs:agent-sm:agent').prepareAgent)
           jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
         }
-        if (BuildParams.inFipsJvm) {
-          task.jvmArgs += ["-Dorg.bouncycastle.fips.approved_only=true"]
+        if (BuildParams.isInFipsJvm()) {
+          def fipsSecurityFile = project.rootProject.file('distribution/src/config/fips_java.security')
+          task.jvmArgs += [
+              "-Dorg.bouncycastle.fips.approved_only=true",
+              "-Djava.security.properties=${fipsSecurityFile}"
+          ]
         }
       }
     }
@@ -693,14 +702,6 @@ allprojects {
   plugins.withId('lifecycle-base') {
     checkPart1.configure { dependsOn 'check' }
   }
-
-  plugins.withId('opensearch.testclusters') {
-    testClusters.configureEach {
-      if (BuildParams.inFipsJvm) {
-        keystorePassword 'notarealpasswordphrase'
-      }
-    }
-  }
 }
 
 subprojects {

@@ -185,7 +185,7 @@ if (project != rootProject) {
   disableTasks('forbiddenApisMain', 'forbiddenApisTest', 'forbiddenApisIntegTest', 'forbiddenApisTestFixtures')
   jarHell.enabled = false
   thirdPartyAudit.enabled = false
-  if (org.opensearch.gradle.info.BuildParams.inFipsJvm) {
+  if (org.opensearch.gradle.info.BuildParams.isInFipsJvm()) {
     // We don't support running gradle with a JVM that is in FIPS 140 mode, so we don't test it.
     // WaitForHttpResourceTests tests would fail as they use JKS/PKCS12 keystores
     test.enabled = false
@@ -255,7 +255,7 @@ if (project != rootProject) {
   tasks.register("integTest", Test) {
     inputs.dir(file("src/testKit")).withPropertyName("testkit dir").withPathSensitivity(PathSensitivity.RELATIVE)
     systemProperty 'test.version_under_test', version
-    onlyIf { org.opensearch.gradle.info.BuildParams.inFipsJvm == false }
+    onlyIf { org.opensearch.gradle.info.BuildParams.isInFipsJvm() == false }
     maxParallelForks = System.getProperty('tests.jvms', org.opensearch.gradle.info.BuildParams.defaultParallel.toString()) as Integer
     testClassesDirs = sourceSets.integTest.output.classesDirs
     classpath = sourceSets.integTest.runtimeClasspath

@@ -761,7 +761,7 @@ class ClusterFormationTasks {
         start.doLast(opensearchRunner)
         start.doFirst {
             // If the node runs in a FIPS 140-2 JVM, the BCFKS default keystore will be password protected
-            if (BuildParams.inFipsJvm) {
+            if (BuildParams.isInFipsJvm()) {
                 node.config.systemProperties.put('javax.net.ssl.trustStorePassword', 'password')
                 node.config.systemProperties.put('javax.net.ssl.keyStorePassword', 'password')
             }

@@ -31,6 +31,8 @@
 package org.opensearch.gradle.test
 
 import groovy.transform.CompileStatic
+import org.gradle.api.artifacts.VersionCatalog
+import org.gradle.api.artifacts.VersionCatalogsExtension
 import org.opensearch.gradle.OpenSearchJavaPlugin
 import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
 import org.opensearch.gradle.RepositoriesSetupPlugin
@@ -92,6 +94,10 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
         // create a compileOnly configuration as others might expect it
         project.configurations.create("compileOnly")
         project.dependencies.add('testImplementation', project.project(':test:framework'))
+        if (BuildParams.isInFipsJvm()) {
+            VersionCatalog libs = project.extensions.getByType(VersionCatalogsExtension).named("libs")
+            project.dependencies.add('testFipsRuntimeOnly', libs.findBundle("bouncycastle").get())
+        }
 
         EclipseModel eclipse = project.extensions.getByType(EclipseModel)
         eclipse.classpath.sourceSets = [testSourceSet]

@@ -102,6 +102,18 @@ static void setupDependencies(Project project, SourceSet sourceSet) {
                 );
         }
 
+        if (BuildParams.isInFipsJvm()) {
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bc-fips:" + VersionProperties.getVersions().get("bouncycastle_jce")
+                );
+            project.getDependencies()
+                .add(
+                    sourceSet.getImplementationConfigurationName(),
+                    "org.bouncycastle:bctls-fips:" + VersionProperties.getVersions().get("bouncycastle_tls")
+                );
+        }
     }
 
 }
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.client;
+
+import com.carrotsearch.randomizedtesting.ThreadFilter;
+
+/**
+ * ThreadFilter to exclude ThreadLeak checks for BC’s global background threads
+ *
+ * <p>clone from the original, which is located in ':test:framework'</p>
+ */
+public class BouncyCastleThreadFilter implements ThreadFilter {
+    @Override
+    public boolean reject(Thread t) {
+        String n = t.getName();
+        // Ignore BC’s global background threads
+        return "BC Disposal Daemon".equals(n) || "BC Cleanup Executor".equals(n);
+    }
+}
@@ -38,6 +38,7 @@
 import com.carrotsearch.randomizedtesting.annotations.SeedDecorators;
 import com.carrotsearch.randomizedtesting.annotations.TestMethodProviders;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakAction;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakGroup;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakLingering;
 import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
@@ -65,6 +66,7 @@
 @ThreadLeakAction({ ThreadLeakAction.Action.WARN, ThreadLeakAction.Action.INTERRUPT })
 @ThreadLeakZombies(ThreadLeakZombies.Consequence.IGNORE_REMAINING_TESTS)
 @ThreadLeakLingering(linger = 5000) // 5 sec lingering
+@ThreadLeakFilters(filters = BouncyCastleThreadFilter.class)
 @TimeoutSuite(millis = 2 * 60 * 60 * 1000)
 public abstract class RestClientTestCase extends RandomizedTest {
 

@@ -312,7 +312,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
    *             Properties to expand when copying packaging files             *
    *****************************************************************************/
   configurations {
-    ['libs', 'libsPluginCli', 'libsKeystoreCli', 'bcFips'].each {
+    ['libs', 'libsPluginCli', 'libsKeystoreCli', 'libsFipsInstallerCli', 'bcFips'].each {
       create(it) {
         canBeConsumed = false
         canBeResolved = true
@@ -333,6 +333,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
 
     libsPluginCli project(':distribution:tools:plugin-cli')
     libsKeystoreCli project(path: ':distribution:tools:keystore-cli')
+    libsFipsInstallerCli project(path: ':distribution:tools:fips-demo-installer-cli')
 
     bcFips libs.bundles.bouncycastle
   }
@@ -346,7 +347,7 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
       copySpec {
         // delay by using closures, since they have not yet been configured, so no jar task exists yet
         from(configurations.libs)
-        if ( BuildParams.inFipsJvm ) {
+        if ( BuildParams.isInFipsJvm() ) {
           from(configurations.bcFips)
         }
         into('tools/plugin-cli') {
@@ -355,6 +356,10 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
         into('tools/keystore-cli') {
           from(configurations.libsKeystoreCli)
         }
+        // Add FIPS installer CLI
+        into('tools/fips-demo-installer-cli') {
+          from(configurations.libsFipsInstallerCli)
+        }
       }
     }
 

@@ -295,3 +295,11 @@ subprojects { Project subProject ->
 tasks.named("composeUp").configure {
   dependsOn preProcessFixture
 }
+
+dockerCompose {
+  useComposeFiles = ['docker-compose.yml']
+  if (BuildParams.isInFipsJvm()) {
+    environment.put("KEYSTORE_PASSWORD", "notarealpasswordphrase")
+    environment.put("FIPS_GENERATE_TRUSTSTORE", "true")
+  }
+}
@@ -16,6 +16,8 @@ services:
        - cluster.routing.allocation.disk.watermark.high=1b
        - cluster.routing.allocation.disk.watermark.flood_stage=1b
        - node.store.allow_mmap=false
+       - "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}"
+       - "FIPS_GENERATE_TRUSTSTORE=${FIPS_GENERATE_TRUSTSTORE}"
     volumes:
        - ./build/repo:/tmp/opensearch-repo
        - ./build/logs/1:/usr/share/opensearch/logs
@@ -40,6 +42,8 @@ services:
        - cluster.routing.allocation.disk.watermark.high=1b
        - cluster.routing.allocation.disk.watermark.flood_stage=1b
        - node.store.allow_mmap=false
+       - "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}"
+       - "FIPS_GENERATE_TRUSTSTORE=${FIPS_GENERATE_TRUSTSTORE}"
     volumes:
        - ./build/repo:/tmp/opensearch-repo
        - ./build/logs/2:/usr/share/opensearch/logs

@@ -74,19 +74,24 @@ if [[ -f bin/opensearch-users ]]; then
 fi
 
 if ls "/usr/share/opensearch/lib" | grep -E -q "bc-fips.*\.jar"; then
-  # If BouncyCastle FIPS is detected - enforcing keystore password policy.
 
+  # If BouncyCastle FIPS is detected - configure FIPS trust store in test mode
+  if [[ "$FIPS_GENERATE_TRUSTSTORE" == "true" ]]; then
+    (run_as_other_user_if_needed opensearch-fips-demo-installer --non-interactive)
+  fi
+
+  # If BouncyCastle FIPS is detected - enforce keystore password policy.
   if [[ -z "$KEYSTORE_PASSWORD" ]]; then
     echo "[ERROR] FIPS mode requires a keystore password. KEYSTORE_PASSWORD is not set." >&2
     exit 1
   fi
 
   if [[ ! -f /usr/share/opensearch/config/opensearch.keystore ]]; then
-    # Keystore not found - creating with password.
+    # Keystore not found - create with password.
     COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$KEYSTORE_PASSWORD")"
     echo "$COMMANDS" | run_as_other_user_if_needed opensearch-keystore create -p
   else
-    # Keystore already exists - checking encryption.
+    # Keystore already exists - check encryption.
     if ! run_as_other_user_if_needed opensearch-keystore has-passwd --silent; then
       # Keystore is unencrypted - securing it for FIPS mode.
       COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$KEYSTORE_PASSWORD")"

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+OPENSEARCH_MAIN_CLASS=org.opensearch.tools.cli.fips.truststore.FipsTrustStoreCommand \
+  OPENSEARCH_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/fips-demo-installer-cli \
+  "`dirname "$0"`"/opensearch-cli \
+  "$@"
@@ -0,0 +1,16 @@
+@echo off
+
+setlocal enabledelayedexpansion
+setlocal enableextensions
+
+set OPENSEARCH_MAIN_CLASS=org.opensearch.tools.cli.fips.truststore.FipsTrustStoreCommand
+set OPENSEARCH_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/fips-demo-installer-cli
+
+call "%~dp0opensearch-cli.bat" ^
+  %%* ^
+  || goto exit
+
+endlocal
+endlocal
+:exit
+exit /b %ERRORLEVEL%
@@ -0,0 +1,36 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+import de.thetaphi.forbiddenapis.gradle.CheckForbiddenApis
+
+apply plugin: 'opensearch.build'
+
+dependencies {
+  api project(":libs:opensearch-cli")
+  api project(":server")
+  api project(':distribution:tools:java-version-checker')
+  api "info.picocli:picocli:${versions.picocli}"
+  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+
+  testImplementation project(":test:framework")
+}
+
+configurations.runtimeClasspath {
+  exclude group: 'org.apache.logging.log4j'
+}
+
+tasks.withType(CheckForbiddenApis).configureEach {
+  replaceSignatureFiles 'jdk-signatures'
+}
+
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
+}
+
+tasks.named("missingJavadoc").configure { it.enabled = false }
+tasks.named("loggerUsageCheck").configure { it.enabled = false }
@@ -0,0 +1 @@
+34c72d0367d41672883283933ebec24843570bf5
@@ -0,0 +1,17 @@
+Copyright (c) 2000-2015 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software 
+and associated documentation files (the "Software"), to deal in the Software without restriction, 
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
@@ -0,0 +1 @@
+
@@ -0,0 +1 @@
+82bcae3dc45ddeb08b4954e2f596772a42219715