The Enterprise Spring Boot Governance Starter library can be configured with the following properties.

Property Description
tanzu.governance.test-mode Null by default. Possible values: [once, per_request]. When unset or set to once, the library runs the tests once at startup and returns the same result going forward. When set to per_request, the library runs tests at startup and at every call to the /actuator/governance endpoint.
tanzu.governance.fips.exit-on-failure True by default. When true, the application runs validation tests at startup and shutdown if any tests fail, otherwise it prints a warning message and continues.
tanzu.governance.fips.config.bouncy-castle.enforce True by default. When true, BouncyCastle is configured in FIPS mode and is set as the primary security provider in application context.
tanzu.governance.fips.config.bouncy-castle.provider-config Null by default. Set to override the BouncyCastle FIPS provider's configuration. See the Bouncy Castle documentation, Section 2.3: Provider configuration, for accepted values.
tanzu.governance.fips.config.server-tls.enforce True by default. When true, the application configures the web server with FIPS default ciphers and protocols. Supports Tomcat and Netty.
tanzu.governance.specs.skip Empty by default. Comma-separated list of Spec IDs to skip when performing validations.

Note that even if tanzu.governance.fips.exit-on-failure is set to false, your application may still fail to start if a rule is enforced (by default), but related configuration or beans are not available.

For example, to enforce server TLS, the application must have SSL configured in its application properties:

server:
  ssl:
    enabled: true
    bundle: my-ssl-bundle
    // Or prior to SpringBoot 3.1 without the SSL bundle:
    key-alias: my-key
    key-store: classpath:certs/my-key-store.bks
    key-store-password: changeit
    key-password: changeit
    key-store-type: "BCFKS"

An application without proper SSL configurations results in server startup error with tanzu.governance.fips.exit-on-failure=false because the enforcer cannot find available SSL settings in the application context. To bypass this error, you can set tanzu.governance.fips.config.server-tls.enforce to false.

check-circle-line exclamation-circle-line close-line
Scroll to top icon