[Backport 3.5] Use env variable (OPENSEARCH_FIPS_MODE) to enable opensearch to run in FIPS enforced mode instead of checking for existence of bcFIPS jars

CHANGELOG.md

@@ -38,6 +38,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Add `Alt-Svc` header support to advertise HTTP/3 availability ([#20434](https://github.com/opensearch-project/OpenSearch/pull/20434))
 - Refactor streaming agg query phase planning ([#20471](https://github.com/opensearch-project/OpenSearch/pull/20471))
 - Update streaming flag to use search request context ([#20530](https://github.com/opensearch-project/OpenSearch/pull/20530))
+- Move Randomness from server to libs/common ([#20570](https://github.com/opensearch-project/OpenSearch/pull/20570))
+- Use env variable (OPENSEARCH_FIPS_MODE) to enable opensearch to run in FIPS enforced mode instead of checking for existence of bcFIPS jars ([#20625](https://github.com/opensearch-project/OpenSearch/pull/20625))
 
 ### Fixed
 - Fix Snapshot rename replacement unbounded length rename ([#20464](https://github.com/opensearch-project/OpenSearch/issues/20464))

distribution/src/bin/opensearch-env

@@ -112,13 +112,19 @@ fi
 # now make OPENSEARCH_PATH_CONF absolute
 OPENSEARCH_PATH_CONF=`cd "$OPENSEARCH_PATH_CONF"; pwd`
 
-# Check if any bc-fips jar exists on classpath
-# run in FIPS JVM if jar is found
-if ls "$OPENSEARCH_HOME/lib" | grep -E -q "bc-fips.*\.jar"; then
-  echo "BouncyCastle FIPS library found, setting FIPS JVM options."
-  export OPENSEARCH_JAVA_OPTS="-Dorg.bouncycastle.fips.approved_only=true \
-    -Djava.security.properties=${OPENSEARCH_PATH_CONF}/fips_java.security \
-    ${OPENSEARCH_JAVA_OPTS}"
+# FIPS mode is runtime-configured via env var (default: false)
+OPENSEARCH_FIPS_MODE="${OPENSEARCH_FIPS_MODE:-false}"
+
+# Normalize to lowercase for common inputs: TRUE/True/true
+OPENSEARCH_FIPS_MODE="${OPENSEARCH_FIPS_MODE:-false}"
+OPENSEARCH_FIPS_MODE="$(echo "$OPENSEARCH_FIPS_MODE" | tr '[:upper:]' '[:lower:]')"
+
+if [[ "$OPENSEARCH_FIPS_MODE" == "true" ]] && ls "$OPENSEARCH_HOME/lib" | grep -E -q "bc-fips.*\.jar"; then
+  echo "FIPS mode enabled, setting JVM options."
+  export OPENSEARCH_JAVA_OPTS="-Djava.security.properties=${OPENSEARCH_PATH_CONF}/fips_java.security ${OPENSEARCH_JAVA_OPTS}"
+
+  # Ensure BC-FIPS "approved only" mode is on when FIPS mode is enabled
+  export OPENSEARCH_JAVA_OPTS="-Dorg.bouncycastle.fips.approved_only=true ${OPENSEARCH_JAVA_OPTS}"
 fi
 
 OPENSEARCH_DISTRIBUTION_TYPE=${opensearch.distribution.type}
@@ -141,7 +147,7 @@ if [[ "$OPENSEARCH_DISTRIBUTION_TYPE" == "docker" ]]; then
   #
   # will cause OpenSearch to be invoked with -Ecluster.name=testcluster
   #
-  # see https://opensearch.org/docs/opensearch/configuration/ 
+  # see https://opensearch.org/docs/opensearch/configuration/
 
   declare -a opensearch_arg_array
 

distribution/src/bin/opensearch-env.bat

@@ -30,12 +30,22 @@ if not defined OPENSEARCH_PATH_CONF (
 rem now make OPENSEARCH_PATH_CONF absolute
 for %%I in ("%OPENSEARCH_PATH_CONF%..") do set OPENSEARCH_PATH_CONF=%%~dpfI
 
+REM FIPS mode is runtime-configured via env var (default: false)
+if "%OPENSEARCH_FIPS_MODE%"=="" set "OPENSEARCH_FIPS_MODE=false"
+
 rem Check if any bc-fips jar exists on classpath
 rem run in FIPS JVM if jar is found
 set "FOUND_BC_FIPS="
 if exist "%OPENSEARCH_HOME%\lib\bc-fips*.jar" (
-    echo BouncyCastle FIPS library found, setting FIPS JVM options.
-    set OPENSEARCH_JAVA_OPTS=-Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties="%OPENSEARCH_PATH_CONF%\fips_java.security" %OPENSEARCH_JAVA_OPTS%
+    set "FOUND_BC_FIPS=true"
+)
+
+REM Enable only if value equals "true" (case-insensitive) AND BC-FIPS JAR is present
+if /I "%OPENSEARCH_FIPS_MODE%"=="true" (
+    if "%FOUND_BC_FIPS%"=="true" (
+        echo FIPS mode enabled, setting JVM options.
+        set "OPENSEARCH_JAVA_OPTS=-Dorg.bouncycastle.fips.approved_only=true -Djava.security.properties=""%OPENSEARCH_PATH_CONF%\fips_java.security"" %OPENSEARCH_JAVA_OPTS%"
+    )
 )
 
 set OPENSEARCH_DISTRIBUTION_TYPE=${opensearch.distribution.type}
@@ -54,10 +64,10 @@ if "%1" == "nojava" (
 
 rem comparing to empty string makes this equivalent to bash -v check on env var
 rem and allows to effectively force use of the bundled jdk when launching OpenSearch
-rem by setting OPENSEARCH_JAVA_HOME= and JAVA_HOME= 
+rem by setting OPENSEARCH_JAVA_HOME= and JAVA_HOME=
 if not "%OPENSEARCH_JAVA_HOME%" == "" (
   set "JAVA=%OPENSEARCH_JAVA_HOME%\bin\java.exe"
-  set JAVA_TYPE=OPENSEARCH_JAVA_HOME 
+  set JAVA_TYPE=OPENSEARCH_JAVA_HOME
 ) else if not "%JAVA_HOME%" == "" (
   set "JAVA=%JAVA_HOME%\bin\java.exe"
   set JAVA_TYPE=JAVA_HOME

qa/fips-compliance/build.gradle

@@ -33,6 +33,7 @@ afterEvaluate {
   testClusters {
     // configure cluster to start in FIPS JVM
     javaRestTest {
+      environment 'OPENSEARCH_FIPS_MODE', 'true'
       keystorePassword 'notarealpasswordphrase'
       extraConfigFile 'opensearch-fips-truststore.bcfks',
           file("${project.rootDir}/buildSrc/src/main/resources/opensearch-fips-truststore.bcfks")