Documentation Home
MySQL Connector/J Developer Guide
Related Documentation Download this Manual
PDF (US Ltr) - 1.2Mb
PDF (A4) - 1.2Mb


6.9.4 JSSE in FIPS Mode

When using a Java 8 to 12 JREs, if JSSE is configured to use FIPS mode, attempts to connect to a MySQL Server may fail in some cases with a KeyManagementException, complaining that "FIPS mode: only SunJSSE TrustManagers may be used." This happens because, in that case, a custom TrustManager implemented by Connector/J that supports the different sslMode options is invoked but is eventually rejected by the default implementation of SunJSSE.

The issue can be overcome by telling Connector/J not to use its custom TrustManager implementation, but use your own security providers instead. This can be done by setting the following connection properties:

  • fipsCompliantJsse: Set to true to overcome the above-mentioned issue with FIPS mode.

    Note

    When set to true, Connector/J always performs server certificate validation (even if sslMode is set to PREFERRED or REQUIRED), which means a truststore must be configured with the connection proprieties described below, or the fallback system-wide truststore must be enabled.

  • KeyManagerFactoryProvider: The name of the a Java Security Provider that provides a javax.net.ssl.KeyManagerFactory implementation.

  • trustManagerFactoryProvider: The name of the a Java Security Provider that provides a javax.net.ssl.TrustManagerFactory implementation.

  • keyStoreProvider: The name of the a Java Security Provider that provides a java.security.KeyStore implementation, supporting the key stores types specified with clientCertificateKeyStoreType and trustCertificateKeyStoreType.