diff --git a/cloudplatform/connectivity-fips-sample/pom.xml b/cloudplatform/connectivity-fips-sample/pom.xml
new file mode 100644
index 000000000..ce0129485
--- /dev/null
+++ b/cloudplatform/connectivity-fips-sample/pom.xml
@@ -0,0 +1,144 @@
+
+
+ 4.0.0
+
+ com.sap.cloud.sdk.cloudplatform
+ cloudplatform-parent
+ 5.31.0-SNAPSHOT
+
+ connectivity-fips-sample
+ Connectivity - FIPS Sample
+ Non-released sample module that runs connectivity tests under the FIPS-approved Bouncy Castle provider.
+ https://sap.github.io/cloud-sdk/docs/java/getting-started
+
+ SAP SE
+ https://www.sap.com
+
+
+
+ The Apache Software License, Version 2.0
+ https://www.apache.org/licenses/LICENSE-2.0.txt
+
+
+
+
+ SAP
+ cloudsdk@sap.com
+ SAP SE
+ https://www.sap.com
+
+
+
+ 2.1.2
+ 2.1.9
+
+
+
+ com.sap.cloud.sdk.cloudplatform
+ cloudplatform-connectivity
+
+
+ org.bouncycastle
+ bcprov-jdk18on
+
+
+ org.bouncycastle
+ bcpkix-jdk18on
+
+
+ test
+
+
+ org.bouncycastle
+ bc-fips
+ ${bc-fips.version}
+ test
+
+
+ org.bouncycastle
+ bcpkix-fips
+ ${bcpkix-fips.version}
+ test
+
+
+ org.projectlombok
+ lombok
+ provided
+
+
+ org.junit.jupiter
+ junit-jupiter-api
+ test
+
+
+ org.assertj
+ assertj-core
+ test
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+
+ ${argLine} -Dorg.bouncycastle.fips.approved_only=true
+
+
+
+
+ org.apache.maven.plugins
+ maven-dependency-plugin
+
+
+ org.bouncycastle:bc-fips
+ org.bouncycastle:bcpkix-fips
+ com.sap.cloud.sdk.cloudplatform:cloudplatform-connectivity
+
+
+
+
+ org.apache.maven.plugins
+ maven-checkstyle-plugin
+ true
+
+
+ org.apache.maven.plugins
+ maven-pmd-plugin
+ true
+
+
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+ true
+
+
+ org.jacoco
+ jacoco-maven-plugin
+ true
+
+
+
+
+
+ release
+
+ release
+
+
+
+
+ org.sonatype.central
+ central-publishing-maven-plugin
+
+
+ injected-central-publishing
+
+
+
+
+
+
+
+
+
diff --git a/cloudplatform/connectivity-fips-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java b/cloudplatform/connectivity-fips-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java
new file mode 100644
index 000000000..5db11d399
--- /dev/null
+++ b/cloudplatform/connectivity-fips-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java
@@ -0,0 +1,78 @@
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.io.FileReader;
+import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import lombok.SneakyThrows;
+
+/**
+ * Tests the behavior of {@link KeyStoreReader} when operating in FIPS-approved mode with BouncyCastle FIPS provider.
+ */
+class FipsProviderTest
+{
+ private static final String RES = "src/test/resources/certificates";
+ private static final String CRT_PATH = RES + "/client-cert.crt";
+ private static final String KEY_PATH = RES + "/client-cert.key";
+ private static final String ALIAS = "client-cert";
+ private static final char[] EMPTY_PASSWORD = new char[0];
+
+ @AfterAll
+ static void removeBouncyCastleFips()
+ {
+ Security.removeProvider("BCFIPS");
+ }
+
+ @BeforeAll
+ static void registerBouncyCastleFips()
+ {
+ Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
+
+ assertThat(Security.getProvider("BCFIPS"))
+ .describedAs("BC FIPS provider must be registered as a JCA provider")
+ .isNotNull();
+
+ assertThat(CryptoServicesRegistrar.isInApprovedOnlyMode())
+ .describedAs("BC FIPS must be in approved-only mode. ")
+ .isTrue();
+ }
+
+ @Test
+ @SneakyThrows
+ void testDefaultKeystoreTypeIsP12()
+ {
+ final KeyStore keyStore =
+ KeyStoreReader.createKeyStore(ALIAS, EMPTY_PASSWORD, new FileReader(CRT_PATH), new FileReader(KEY_PATH));
+
+ assertThat(keyStore.getType()).isEqualToIgnoringCase("PKCS12");
+ }
+
+ @Test
+ @SneakyThrows
+ void testKeystoreTypeOverrideToBCFKS()
+ {
+ Security.setProperty("keystore.type", "BCFKS");
+
+ final KeyStore keyStore = KeyStore.getInstance("BCFKS");
+ assertThat(keyStore.getType()).isEqualTo("BCFKS");
+ }
+
+ @Test
+ void testMD5IsRejectedInApprovedOnlyMode()
+ {
+ assertThatThrownBy(() -> MessageDigest.getInstance("MD5", "BCFIPS"))
+ .isInstanceOf(NoSuchAlgorithmException.class);
+
+ }
+}
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/README.md b/cloudplatform/connectivity-fips-sample/src/test/resources/README.md
new file mode 100644
index 000000000..53c46526d
--- /dev/null
+++ b/cloudplatform/connectivity-fips-sample/src/test/resources/README.md
@@ -0,0 +1,18 @@
+# Credentials
+
+The credential files are required for running the FIPS provider tests.
+
+## Generate Client Credentials
+
+Run the following commands from `cloudplatform/connectivity-fips-sample/src/test/resources/`:
+
+```bash
+# Create the directory
+mkdir -p certificates
+
+# Generate the key and certificate using Docker (alpine/openssl)
+docker run --rm -v "$(pwd)/certificates:/certs" alpine/openssl \
+ req -x509 -newkey rsa:2048 -nodes \
+ -keyout /certs/client-cert.key \
+ -out /certs/client-cert.crt \
+ -days 3650 -subj "/CN=localhost"
\ No newline at end of file
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt
new file mode 100644
index 000000000..677aec037
--- /dev/null
+++ b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUBERZ7w9qG2je5O6o+Nn+ssaZYOQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwODEzMjQzNVoXDTM2MDYw
+NTEzMjQzNVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsXImnalCNo7Jk4EyD1aqWJgrzVXYALVKm8kq5E+azFpv
+3XB8QQBUXfJJNdkY1uNni6cd+twTzAhdBK+ygTsBkDbMz/r0oniLlLmGTG7L5aCW
+asYVa+HTesi0EunlGDzFbRSuwy/IdfvK2uaU0VeGoyt7Zr0OWg72mPwGPQRvPcEI
+ZljEkgajhiHeEGM9hlCTZnpx9Aye3C/4yek4734QK+ZYqvW/1mYJ08EwDudQUy8n
+rrXhAg7/ppS9v2480fAGI7WonRt4y+sAlaET8YkxNXCRPygwTDaGfQ/yjvXfK37B
+yiEl8qDMFU/WVjEBlet8wLT2/A7qxzjow0UWtsPWWQIDAQABo1MwUTAdBgNVHQ4E
+FgQUEfT0MvVXq56A21bschMDKdUqg7UwHwYDVR0jBBgwFoAUEfT0MvVXq56A21bs
+chMDKdUqg7UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQI0R
+I+x9f2zfQThxkRsF5NoQCqgtaGckcsqk1ADcDLqQWck/j9CE3xMLPYcDKgwURG5s
+/yHUJhv+9/S2uQ/0Xl32GF8fl45av3yUz1aPW6T1JsHWD6/thUtoxvuZr5W1rn/1
+UdYvVnNutLGp1PQWbjxmdH2sZwmDZ/2ovKNCEwnmzOi3Jft7xnu94SyTZqVYnJt0
+rQw5NwrjxspPsJQx/2Rd7EEeg4b/LQEQrEIhchNPzGyLK14mF4nk/ImZ5unkNePt
+kgy6ysoQWHBf+N+184c9B3+qFZAItWOGvBx9z0jS9eQELWT7MBsJ4s2Lufku73kn
+V2gbQ/izbQlQpKduuw==
+-----END CERTIFICATE-----
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key
new file mode 100644
index 000000000..20800e1d6
--- /dev/null
+++ b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxciadqUI2jsmT
+gTIPVqpYmCvNVdgAtUqbySrkT5rMWm/dcHxBAFRd8kk12RjW42eLpx363BPMCF0E
+r7KBOwGQNszP+vSieIuUuYZMbsvloJZqxhVr4dN6yLQS6eUYPMVtFK7DL8h1+8ra
+5pTRV4ajK3tmvQ5aDvaY/AY9BG89wQhmWMSSBqOGId4QYz2GUJNmenH0DJ7cL/jJ
+6TjvfhAr5liq9b/WZgnTwTAO51BTLyeuteECDv+mlL2/bjzR8AYjtaidG3jL6wCV
+oRPxiTE1cJE/KDBMNoZ9D/KO9d8rfsHKISXyoMwVT9ZWMQGV63zAtPb8DurHOOjD
+RRa2w9ZZAgMBAAECggEAA0Y7+C97YqOtNzpBwOQJ2KtWLj/Qmz1n1wrAmTNELqks
+j0WCxXWgGOuzoM6/ape0/XAOruZeEdHFsE8drXd38T/8SjTd9sbgAdU6k9vSNLaL
+Oq/VDVyUGRvtrBECLTmnMFAauXdUQk5se9rtZr+FYyrA6DBs518x+w4Lf2y+22uA
+lj5MD+rXxwGPz3doVmNNfX3pxrswuwD3yAu4E9A3vFSth1OF/4Li4Y2rFVLUELtw
+8halPQAlBu2lmawCD8J68cUCIzlVu9OBPtinrjGxuAvj6lhEmkuakwvkSxFeOZwB
+ZvtC0RIGM6mOzwqTWy1dJ35Le3f2qLYT3tO7zIguUQKBgQDdyV8nyu3Y1odRA/Rd
+y36Xidm7YySwnyF/GZMVM0Cm2iKFGoo0Ym0gK6HdLPr5dxQlziXwJXh2dROt43//
+ABuHRQLyRAi79aGJS7Zehk0NSqxzNcPevXNELGI9TQkm0T0UQZu2Mbq0ciQGKBxu
+WNvsshzzr2UQ8RVRJdZA1De3BwKBgQDM0bWqtCK8Lp1XfF6LhY0kDiXOs/uFD0FB
+ToBzbbZPPII7tpVRy9jLXO2DXEwCj3AsdIwhxAWYWUy75J9EpI41JmY+D4SQRzTq
+y6GiwHcmFr0RtYZpSdmnpWVPTbWwqoH1KCJEyA8sKrOd0BSh06EiFKM8yYjxHs2q
+VYsRqmJPnwKBgQDFwlpDvDHLCLdN6Q3LWLk/XF62NRgxGSOgFmjNHY9Hd/gR4XFc
+dmtBpUZGVmZPbPudHi077d11Gr36boHiGfFx83pGFZ4II2TvbIBn1q777BrK/CT0
+Bs+x+TV73aYMY8RnvHygv8TwQ1qV1sxLJJatfsBMFZgzvBQ68FcUJWasnwKBgQCk
+An2lfu+dnvoxdw7CTKQzrfyKY8dRymBnqjPjuoPVOU/T/yXcxQ4J8pTiroLTPgcG
+IiGgXDZaw49VmgILVnXli6UtpwFxAwQVzA/XoqUGZAjsaF6EazWWMDRK56BJIpBE
+PuoKB+VWaa9A/MG4wB10i/AXGg7FffQUpMFi2Pw2YwKBgHRt+tnkw3gvUSWQ4E/z
+/g525QMFP3xTadIT7qzif+LSMqtip3vVbC+sBAJQ+GChNq8MFnr72H/siOwmODS2
+hWaN/7EQCuxo6bzs9QYIgMa5qkBaQIO5RQWsbj8jcUGKXuGTxbWNkR2+tHzLYxeG
+p/Hb2ZSw9PU5Q7fHpaU9wjEo
+-----END PRIVATE KEY-----
diff --git a/cloudplatform/pom.xml b/cloudplatform/pom.xml
index 93565fd99..b0f1bd2ff 100644
--- a/cloudplatform/pom.xml
+++ b/cloudplatform/pom.xml
@@ -42,6 +42,7 @@
connectivity-oauth
connectivity-apache-httpclient4
connectivity-apache-httpclient5
+ connectivity-fips-sample
resilience
resilience-api
resilience4j
@@ -59,6 +60,17 @@
${project.basedir}/../../
+
+ non-release
+
+
+ !release
+
+
+
+ connectivity-fips-sample
+
+
release
diff --git a/module-inventory.json b/module-inventory.json
index 71f993b18..348da66b0 100644
--- a/module-inventory.json
+++ b/module-inventory.json
@@ -120,6 +120,17 @@
"parentArtifactId": "cloudplatform-parent",
"excludeFromBlackDuckScan": false
},
+ {
+ "groupId": "com.sap.cloud.sdk.cloudplatform",
+ "artifactId": "connectivity-fips-sample",
+ "packaging": "jar",
+ "releaseAudience": "None",
+ "releaseMaturity": "Stable",
+ "pomFile": "cloudplatform/connectivity-fips-sample/pom.xml",
+ "parentGroupId": "com.sap.cloud.sdk.cloudplatform",
+ "parentArtifactId": "cloudplatform-parent",
+ "excludeFromBlackDuckScan": true
+ },
{
"groupId": "com.sap.cloud.sdk.cloudplatform",
"artifactId": "connectivity-oauth",
diff --git a/pom.xml b/pom.xml
index a2172a42b..cf80eb76e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -705,6 +705,7 @@
com.sap.cloud.sdk.datamodel:odata-v4-api-sample
com.sap.cloud.sdk.datamodel:openapi-api-sample
com.sap.cloud.sdk.datamodel:openapi-api-apache-sample
+ com.sap.cloud.sdk.cloudplatform:connectivity-fips-sample