SAP · rpanackal · Jun 8, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/cloudplatform/connectivity-fips-sample/pom.xml b/cloudplatform/connectivity-fips-sample/pom.xml
@@ -0,0 +1,144 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
+		<artifactId>cloudplatform-parent</artifactId>
+		<version>5.31.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>connectivity-fips-sample</artifactId>
+	<name>Connectivity - FIPS Sample</name>
+	<description>Non-released sample module that runs connectivity tests under the FIPS-approved Bouncy Castle provider.</description>
+	<url>https://sap.github.io/cloud-sdk/docs/java/getting-started</url>
+	<organization>
+		<name>SAP SE</name>
+		<url>https://www.sap.com</url>
+	</organization>
+	<licenses>
+		<license>
+			<name>The Apache Software License, Version 2.0</name>
+			<url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
+		</license>
+	</licenses>
+	<developers>
+		<developer>
+			<name>SAP</name>
+			<email>cloudsdk@sap.com</email>
+			<organization>SAP SE</organization>
+			<organizationUrl>https://www.sap.com</organizationUrl>
+		</developer>
+	</developers>
+	<properties>
+		<bc-fips.version>2.1.2</bc-fips.version>
+		<bcpkix-fips.version>2.1.9</bcpkix-fips.version>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>com.sap.cloud.sdk.cloudplatform</groupId>
+			<artifactId>cloudplatform-connectivity</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.bouncycastle</groupId>
+					<artifactId>bcprov-jdk18on</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.bouncycastle</groupId>
+					<artifactId>bcpkix-jdk18on</artifactId>
+				</exclusion>
+			</exclusions>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bc-fips</artifactId>
+			<version>${bc-fips.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-fips</artifactId>
+			<version>${bcpkix-fips.version}</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.junit.jupiter</groupId>
+			<artifactId>junit-jupiter-api</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.assertj</groupId>
+			<artifactId>assertj-core</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<configuration>
+					<argLine>${argLine} -Dorg.bouncycastle.fips.approved_only=true
+					</argLine>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-dependency-plugin</artifactId>
+				<configuration>
+					<ignoredUnusedDeclaredDependencies combine.children="append">
+						<ignoredUnusedDeclaredDependency>org.bouncycastle:bc-fips</ignoredUnusedDeclaredDependency>
+						<ignoredUnusedDeclaredDependency>org.bouncycastle:bcpkix-fips</ignoredUnusedDeclaredDependency>
+						<ignoredUnusedDeclaredDependency>com.sap.cloud.sdk.cloudplatform:cloudplatform-connectivity</ignoredUnusedDeclaredDependency>
+					</ignoredUnusedDeclaredDependencies>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-checkstyle-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-pmd-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<configuration><skip>true</skip></configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<id>release</id>
+			<activation>
+				<property><name>release</name></property>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.sonatype.central</groupId>
+						<artifactId>central-publishing-maven-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>injected-central-publishing</id>
+								<phase />
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+</project>
diff --git a/...s-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java b/...s-sample/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/FipsProviderTest.java
@@ -0,0 +1,78 @@
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import java.io.FileReader;
+import java.security.KeyStore;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Security;
+
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import lombok.SneakyThrows;
+
+/**
+ * Tests the behavior of {@link KeyStoreReader} when operating in FIPS-approved mode with BouncyCastle FIPS provider.
+ */
+class FipsProviderTest
+{
+    private static final String RES = "src/test/resources/certificates";
+    private static final String CRT_PATH = RES + "/client-cert.crt";
+    private static final String KEY_PATH = RES + "/client-cert.key";
+    private static final String ALIAS = "client-cert";
+    private static final char[] EMPTY_PASSWORD = new char[0];
+
+    @AfterAll
+    static void removeBouncyCastleFips()
+    {
+        Security.removeProvider("BCFIPS");
+    }
+
+    @BeforeAll
+    static void registerBouncyCastleFips()
+    {
+        Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
+
+        assertThat(Security.getProvider("BCFIPS"))
+            .describedAs("BC FIPS provider must be registered as a JCA provider")
+            .isNotNull();
+
+        assertThat(CryptoServicesRegistrar.isInApprovedOnlyMode())
+            .describedAs("BC FIPS must be in approved-only mode. ")
+            .isTrue();
+    }
+
+    @Test
+    @SneakyThrows
+    void testDefaultKeystoreTypeIsP12()
+    {
+        final KeyStore keyStore =
+            KeyStoreReader.createKeyStore(ALIAS, EMPTY_PASSWORD, new FileReader(CRT_PATH), new FileReader(KEY_PATH));
+
+        assertThat(keyStore.getType()).isEqualToIgnoringCase("PKCS12");
+    }
+
+    @Test
+    @SneakyThrows
+    void testKeystoreTypeOverrideToBCFKS()
+    {
+        Security.setProperty("keystore.type", "BCFKS");
+
+        final KeyStore keyStore = KeyStore.getInstance("BCFKS");
+        assertThat(keyStore.getType()).isEqualTo("BCFKS");
+    }
+
+    @Test
+    void testMD5IsRejectedInApprovedOnlyMode()
+    {
+        assertThatThrownBy(() -> MessageDigest.getInstance("MD5", "BCFIPS"))
+            .isInstanceOf(NoSuchAlgorithmException.class);
+
+    }
+}
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/README.md b/cloudplatform/connectivity-fips-sample/src/test/resources/README.md
@@ -0,0 +1,18 @@
+# Credentials
+
+The credential files are required for running the FIPS provider tests.
+
+## Generate Client Credentials
+
+Run the following commands from `cloudplatform/connectivity-fips-sample/src/test/resources/`:
+
+```bash
+# Create the directory
+mkdir -p certificates
+
+# Generate the key and certificate using Docker (alpine/openssl)
+docker run --rm -v "$(pwd)/certificates:/certs" alpine/openssl \
+ req -x509 -newkey rsa:2048 -nodes \
+ -keyout /certs/client-cert.key \
+ -out /certs/client-cert.crt \
+ -days 3650 -subj "/CN=localhost"
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUBERZ7w9qG2je5O6o+Nn+ssaZYOQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwODEzMjQzNVoXDTM2MDYw
+NTEzMjQzNVowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsXImnalCNo7Jk4EyD1aqWJgrzVXYALVKm8kq5E+azFpv
+3XB8QQBUXfJJNdkY1uNni6cd+twTzAhdBK+ygTsBkDbMz/r0oniLlLmGTG7L5aCW
+asYVa+HTesi0EunlGDzFbRSuwy/IdfvK2uaU0VeGoyt7Zr0OWg72mPwGPQRvPcEI
+ZljEkgajhiHeEGM9hlCTZnpx9Aye3C/4yek4734QK+ZYqvW/1mYJ08EwDudQUy8n
+rrXhAg7/ppS9v2480fAGI7WonRt4y+sAlaET8YkxNXCRPygwTDaGfQ/yjvXfK37B
+yiEl8qDMFU/WVjEBlet8wLT2/A7qxzjow0UWtsPWWQIDAQABo1MwUTAdBgNVHQ4E
+FgQUEfT0MvVXq56A21bschMDKdUqg7UwHwYDVR0jBBgwFoAUEfT0MvVXq56A21bs
+chMDKdUqg7UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQI0R
+I+x9f2zfQThxkRsF5NoQCqgtaGckcsqk1ADcDLqQWck/j9CE3xMLPYcDKgwURG5s
+/yHUJhv+9/S2uQ/0Xl32GF8fl45av3yUz1aPW6T1JsHWD6/thUtoxvuZr5W1rn/1
+UdYvVnNutLGp1PQWbjxmdH2sZwmDZ/2ovKNCEwnmzOi3Jft7xnu94SyTZqVYnJt0
+rQw5NwrjxspPsJQx/2Rd7EEeg4b/LQEQrEIhchNPzGyLK14mF4nk/ImZ5unkNePt
+kgy6ysoQWHBf+N+184c9B3+qFZAItWOGvBx9z0jS9eQELWT7MBsJ4s2Lufku73kn
+V2gbQ/izbQlQpKduuw==
+-----END CERTIFICATE-----
diff --git a/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key b/cloudplatform/connectivity-fips-sample/src/test/resources/certificates/client-cert.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxciadqUI2jsmT
+gTIPVqpYmCvNVdgAtUqbySrkT5rMWm/dcHxBAFRd8kk12RjW42eLpx363BPMCF0E
+r7KBOwGQNszP+vSieIuUuYZMbsvloJZqxhVr4dN6yLQS6eUYPMVtFK7DL8h1+8ra
+5pTRV4ajK3tmvQ5aDvaY/AY9BG89wQhmWMSSBqOGId4QYz2GUJNmenH0DJ7cL/jJ
+6TjvfhAr5liq9b/WZgnTwTAO51BTLyeuteECDv+mlL2/bjzR8AYjtaidG3jL6wCV
+oRPxiTE1cJE/KDBMNoZ9D/KO9d8rfsHKISXyoMwVT9ZWMQGV63zAtPb8DurHOOjD
+RRa2w9ZZAgMBAAECggEAA0Y7+C97YqOtNzpBwOQJ2KtWLj/Qmz1n1wrAmTNELqks
+j0WCxXWgGOuzoM6/ape0/XAOruZeEdHFsE8drXd38T/8SjTd9sbgAdU6k9vSNLaL
+Oq/VDVyUGRvtrBECLTmnMFAauXdUQk5se9rtZr+FYyrA6DBs518x+w4Lf2y+22uA
+lj5MD+rXxwGPz3doVmNNfX3pxrswuwD3yAu4E9A3vFSth1OF/4Li4Y2rFVLUELtw
+8halPQAlBu2lmawCD8J68cUCIzlVu9OBPtinrjGxuAvj6lhEmkuakwvkSxFeOZwB
+ZvtC0RIGM6mOzwqTWy1dJ35Le3f2qLYT3tO7zIguUQKBgQDdyV8nyu3Y1odRA/Rd
+y36Xidm7YySwnyF/GZMVM0Cm2iKFGoo0Ym0gK6HdLPr5dxQlziXwJXh2dROt43//
+ABuHRQLyRAi79aGJS7Zehk0NSqxzNcPevXNELGI9TQkm0T0UQZu2Mbq0ciQGKBxu
+WNvsshzzr2UQ8RVRJdZA1De3BwKBgQDM0bWqtCK8Lp1XfF6LhY0kDiXOs/uFD0FB
+ToBzbbZPPII7tpVRy9jLXO2DXEwCj3AsdIwhxAWYWUy75J9EpI41JmY+D4SQRzTq
+y6GiwHcmFr0RtYZpSdmnpWVPTbWwqoH1KCJEyA8sKrOd0BSh06EiFKM8yYjxHs2q
+VYsRqmJPnwKBgQDFwlpDvDHLCLdN6Q3LWLk/XF62NRgxGSOgFmjNHY9Hd/gR4XFc
+dmtBpUZGVmZPbPudHi077d11Gr36boHiGfFx83pGFZ4II2TvbIBn1q777BrK/CT0
+Bs+x+TV73aYMY8RnvHygv8TwQ1qV1sxLJJatfsBMFZgzvBQ68FcUJWasnwKBgQCk
+An2lfu+dnvoxdw7CTKQzrfyKY8dRymBnqjPjuoPVOU/T/yXcxQ4J8pTiroLTPgcG
+IiGgXDZaw49VmgILVnXli6UtpwFxAwQVzA/XoqUGZAjsaF6EazWWMDRK56BJIpBE
+PuoKB+VWaa9A/MG4wB10i/AXGg7FffQUpMFi2Pw2YwKBgHRt+tnkw3gvUSWQ4E/z
+/g525QMFP3xTadIT7qzif+LSMqtip3vVbC+sBAJQ+GChNq8MFnr72H/siOwmODS2
+hWaN/7EQCuxo6bzs9QYIgMa5qkBaQIO5RQWsbj8jcUGKXuGTxbWNkR2+tHzLYxeG
+p/Hb2ZSw9PU5Q7fHpaU9wjEo
+-----END PRIVATE KEY-----
diff --git a/cloudplatform/pom.xml b/cloudplatform/pom.xml
@@ -42,6 +42,7 @@
 		<module>connectivity-oauth</module>
 		<module>connectivity-apache-httpclient4</module>
 		<module>connectivity-apache-httpclient5</module>
+		<module>connectivity-fips-sample</module>
 		<module>resilience</module>
 		<module>resilience-api</module>
 		<module>resilience4j</module>
@@ -59,6 +60,17 @@
 		<project.rootdir>${project.basedir}/../../</project.rootdir>
 	</properties>
 	<profiles>
+		<profile>
+			<id>non-release</id>
+			<activation>
+				<property>
+					<name>!release</name>
+				</property>
+			</activation>
+			<modules>
+				<module>connectivity-fips-sample</module>
+			</modules>
+		</profile>
 		<profile>
 			<id>release</id>
 			<activation>

diff --git a/module-inventory.json b/module-inventory.json
@@ -120,6 +120,17 @@
     "parentArtifactId": "cloudplatform-parent",
     "excludeFromBlackDuckScan": false
   },
+  {
+    "groupId": "com.sap.cloud.sdk.cloudplatform",
+    "artifactId": "connectivity-fips-sample",
+    "packaging": "jar",
+    "releaseAudience": "None",
+    "releaseMaturity": "Stable",
+    "pomFile": "cloudplatform/connectivity-fips-sample/pom.xml",
+    "parentGroupId": "com.sap.cloud.sdk.cloudplatform",
+    "parentArtifactId": "cloudplatform-parent",
+    "excludeFromBlackDuckScan": true
+  },
   {
     "groupId": "com.sap.cloud.sdk.cloudplatform",
     "artifactId": "connectivity-oauth",

diff --git a/pom.xml b/pom.xml
@@ -705,6 +705,7 @@
 										<exclude>com.sap.cloud.sdk.datamodel:odata-v4-api-sample</exclude>
 										<exclude>com.sap.cloud.sdk.datamodel:openapi-api-sample</exclude>
 										<exclude>com.sap.cloud.sdk.datamodel:openapi-api-apache-sample</exclude>
+										<exclude>com.sap.cloud.sdk.cloudplatform:connectivity-fips-sample</exclude>
 									</excludes>
 								</bannedDependencies>
 							</rules>