Configure FIPS-compliant algorithms

Federal Information Processing Standards (FIPS) are the standards by which many federal and private sector organizations secure their computer systems. Support for FIPS-compliant algorithms in Data Quality & Observability Classic can be configured upon installation through the applicable environment variables.

Keep in mind the following points related to FIPS compliance:

  • To enable FIPS compliance, set the environment variable DQ_APP_FIPS_ENABLED to true. In standalone, the system performs a series of tests to determine if the environment is FIPS compliant.
  • SSL is required for FIPS compliance. The datasource URL must end with sslmode=verify-full.
  • Customers must change the default encryption key to be FIPS compliant.
  • The primary security provider configured for the JVM is Bouncy Castle FIPS (BCFIPS).

The following table describes the environment variables related to FIPS compliance.

Environment variable Description
DQ_APP_FIPS_ENABLED

Optional. Set to true to enable FIPS-compliant algorithms. In standalone, this must be enabled in the setup.sh and owlmanage.sh file upon the installation of Data Quality & Observability Classic. The system also performs a series of tests to determine if the environment is FIPS compliant.

Default is false.
DQ_APP_AES_ENCRYPTION_KEY

Optional. Only required when using your own Java security provider, algorithm, and encryption key. Enter the key for AES encryption from your preferred provider.

Defaults to the Collibra DQ AES key.
DQ_FIPS_PROVIDER_NAME

Optional. Only required when using your own Java security provider, algorithm, and encryption key. Provide your own provider implementation.

Defaults to Bouncy Castle, which is supported in Collibra DQ and considered one of the secure and compliant FIPS providers.
DQ_FIPS_ALGORITHM

Optional. Only required when using your own Java security provider, algorithm, and encryption key. Provide an algorithm supported by your FIPS provider.

Defaults to password-based AES 128 encryption algorithm complaint with FIPS.
DQ_APP_ENCRYPTION_AT_REST_MODE

Optional. Specifies whether to use the legacy or hybrid cryptosystem. For FIPS compliance, set to hybrid.

Default is legacy.
DQ_APP_ENCRYPTION_AT_REST_MIGRATION

Optional. For existing customers that need to migrate from legacy to hybrid encryption at rest mode. Performs migration to new encryption key during startup. After completing the initial migration, disable this setting.

Default is false.

Set up the keystore

Depending on your configuration, you may need to set up and migrate to a FIPS-compliant keystore. BCFKS is required for FIPS compliance. For more information on the migration process, go to Migrating keystores.

Configuring Collibra DQ for FIPS Compliance

The OS environment variable export DQ_APP_FIPS_ENABLED=true is set in the setup.sh, owlmanage.sh, and owl-env.sh files, while all other optional environment variables are set in the owl-env.sh. While all environment variables are optional, if you do not set them, they will default to the out-of-the-box Bouncy Castle configurations.

  1. Before installing Data Quality & Observability Classic, generate a keystore using a FIPS-compliant algorithm.
  2. Ensure that the entry org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider is set as the security provider in $JAVA_HOME/conf/security/java.security.

    3. Example security.provider.13=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

  3. Set the environment variable export DQ_APP_FIPS_ENABLED=true in the setup.sh and owlmanage.sh files.
  4. Follow the standard Standalone Installation steps.

    5. image of fips-enabled standalone dq installation

  5. Set all FIPS and keystore environment variables (described above) and restart the DQ web application and DQ agent services.
    6. Important If FIPS is enabled, specify the path to the keystore in KEYSTORE_FILEPATH (instead of SAML_KEYSTORE_FILE).
  6. SSL is required for FIPS compliance. Follow the standard steps for Setting up SSL (HTTPS). Note that the datasource URL must end with sslmode=verify-full.
  7. Sign in to Data Quality & Observability Classic.
  8. On the Collibra DQ home page, hover your pointer over Settings and select Admin Console.
    The Admin Console opens.
  9. Click Agent Configuration.
    The Agent Configuration page opens.
  10. In the Actions column, click Edit icon to edit your agent.
    The Edit Agent modal appears.
  11. In the Free Form (Appended) field, enter the following configuration and ensure that the Bouncy Castle FIPS JAR file, such as bc-fips-x.jar, is included in the directory.

    12. Copy 
    -addlib $OWL_HOME/bin/external/

  12. Restart the DQ web application and DQ agent services.

Example of environment variables when using the default Bouncy Castle FIPS provider and Collibra DQ values

Copy 
export DQ_APP_FIPS_ENABLED=true
export DBPASSWORD="String to Encrypt"
# If successful, the following command will return encrypted string
java -cp dq-core.jar:bc-fips-1.0.2.5.jar com.owl.core.security.SecurityManager -encryptString $DBPASSWORD
  1. Before installing Data Quality & Observability Classic, generate a Java truststore and keystore using a FIPS-compliant algorithm (BCFKS).
  2. Create a kubernetes secret using the new keystore.
  3. Pull the DQ container images that are FIPS compliant (with the -fips suffix). For example:
    4. Copy 
    docker pull gcr.io/owl-hadoop-cdh/dq-web-fips:2025.08-ABDGCSHILM-4227
    docker pull gcr.io/owl-hadoop-cdh/dq-agent-fips:2025.08-ABDGCSHILM-4227
    docker pull gcr.io/owl-hadoop-cdh/dq-livy-fips:3.5.6-2025.08-ABDGCSHILM-4227
    docker pull gcr.io/owl-hadoop-cdh/dq-spark-fips:3.5.6-2025.08-ABDGCSHILM-4227
  4. Configure the JVM with Bouncy Castle FIPS (BCFIPS) as the primary security provider. Internal keystores or truststores must be in BCFKS format.
    1. Ensure that the entry org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider is set as the security provider in $JAVA_HOME/conf/security/java.security.

    5. Example security.provider.13=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

  5. Set the OS environment variable DQ_APP_FIPS_ENABLED to true.
  6. Set the additional keystore properties for the DQ web application and DQ agent:
    7. Copy 
    DQ_APP_ENCRYPTION_AT_REST_MODE: HYBRID
    KEYSTORE_FILEPATH: /opt/owl/keystore/mykeystore.bcfks
    KEYSTORE_PRIVATEKEY_ALIAS: mykeypair
    KEYSTORE_PUBLICKEY_ALIAS: mykeypair
    KEYSTORE_SECRETS_SOURCE: FILE
    KEYSTORE_TYPE: BCFKS
    Important If FIPS is enabled, specify the path to the keystore in KEYSTORE_FILEPATH (instead of SAML_KEYSTORE_FILE).
  7. Set additional sensitive properties for the secret:
    8. Copy 
    KEYSTORE_PASSWORD: BASE64OFTHEPASSWORD
    KEYSTORE_PRIVATEKEY_PASSWORD: BASE64OFTHEPASSWORD
  8. Follow the installation steps for Installing Data Quality & Observability Classic on self-hosted Kubernetes.
    • Add the following statement to the helm chart to make the base image FIPS-compliant:

      • Copy
      Values.global.cryptography.fips.enabled

  9. SSL is required for FIPS compliance. Follow the standard steps for Setting up SSL (HTTPS). Note that the datasource URL must end with sslmode=verify-full.
  10. Create a Spark Pod template k8s-spark-template.yml and mount it at the DQ agent:
    11. Copy 
    apiVersion: v1
    Kind: Pod
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      volumes:
       - name: dq-truststore
         secret:
           secretName: dq-truststore
       - name: dq-fips-keystore
         secret:
           secretName: dq-fips-keystore
      containers:
       - volumeMounts:
          - name: dq-truststore
            mountPath: /etc/custom-ssl
          - name: dq-fips-keystore
            mountPath: /opt/owl/keystore
  11. Sign in to Data Quality & Observability Classic.
  12. On the Collibra DQ home page, hover your pointer over Settings and select Admin Console.
    The Admin Console opens.
  13. Click Agent Configuration.
    The Agent Configuration page opens.
  14. In the Actions column, click Edit icon to edit your agent.
    The Edit Agent modal appears.
  15. In the Free Form (Appended) field, enter the following configuration and ensure that the Bouncy Castle FIPS JAR file, such as bc-fips-x.jar, is included in the directory.

    16. Copy 
    -addlib $OWL_HOME/bin/external/

  16. In the Free Form (Appended) field, enter the following Spark configuration.

    17. Copy 
    -conf spark.kubernetes.executor.podTemplateFile=/opt/owl/pod-templates/k8s-spark-template.yml,spark.kubernetes.driver.podTemplateFile=/opt/owl/pod-templates/k8s-spark-template.yml,spark.driver.extraJavaOptions=-Djavax.net.ssl.trustStore=/etc/custom-ssl/truststore.bcfks;-Djavax.net.ssl.trustStoreType=BCFKS;-Djavax.net.ssl.trustStorePassword=changeit

  17. Restart the DQ web application and DQ agent services.
Important In SPRING_AGENT_DATASOURCE_URL, the connection parameter currentSchema must be set at the end of the URL.