As part of the Red Hat build of OpenJDK 25 FIPS setup we are moving most of our downstream code to configuration changes, relying on recently upstreamed features.

In this context, the most relevant upstream feature for the crypto-policies package is JDK-8319332: Security properties files inclusion, which introduces the include directive we use to apply the Java crypto policy.

In the case of the FIPS crypto policy, we will need an additional include from the policy to OpenJDK's java.security.fips. This makes the FIPS setup just a consequence of the FIPS crypto policy applied.

In other words, for the FIPS policy, we need it to start with the following include directive:

# Trigger OpenJDK FIPS setup
include ${java.home}/conf/security/java.security.fips

# [...] REST OF THE FILE CONTENT UNCHANGED 

Other policies need to stay as they are today (unless they are FIPS policies).

Backwards compatibility note: for older JDKs, the include directive is innocuous: it just defines an unused include=${java.home}/conf/security/java.security.fips security property.

A better overview, including an interactive diagram can be found in OPENJDK-2108.