doc

docs/reference/settings/security-settings.asciidoc

@@ -71,6 +71,11 @@ the sensitive nature of the information.
 (<<static-cluster-setting,Static>>)
 Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS 140-2 enabled JVM. For more information, see <<fips-140-compliance>>. Defaults to `false`.
 
+`xpack.security.fips_mode.required_providers`::
+(<<static-cluster-setting,Static>>)
+Optionally enforce specific Java JCE/JSSE security providers. For example set this to `["BCFIPS"]` to require the Bouncy Castle FIPS
+security provider. Only applicable when `xpack.security.fips_mode.enabled` is set to `true`.
+
 [discrete]
 [[password-hashing-settings]]
 ==== Password hashing settings

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -1573,15 +1573,15 @@ static void validateForFips(Settings settings) {
         }
 
         final List<String> requiredProviders = XPackSettings.FIPS_REQUIRED_PROVIDERS.get(settings);
-        logger.info("JVM Security Providers " + foundProviders);
+        logger.info("JVM Security Providers: " + foundProviders);
         if (requiredProviders != null && requiredProviders.isEmpty() == false) {
             List<String> unsatisfiedProviders = requiredProviders.stream()
                 .map(s -> s.toLowerCase(Locale.ROOT))
                 .filter(element -> foundProviders.contains(element) == false)
                 .toList();
 
             if (unsatisfiedProviders.isEmpty() == false) {
-                String errorMessage = "Could not find required FIPS security provider " + unsatisfiedProviders;
+                String errorMessage = "Could not find required FIPS security provider: " + unsatisfiedProviders;
                 logger.error(errorMessage);
                 validationErrors.add(errorMessage);
             }