Enable tests in FIPS 140 in JDK 11

[jkakavas]

This change enables us to run our test suites in JVMs configured in
FIPS 140 approved mode without a CI specific setup. It does so by:

• Using BouncyCastle FIPS Cryptographic provider and BSJSSE in
  FIPS mode for JDK9 and later. These are used as testRuntime
  dependencies for unit tests and internal clusters, and copied (relevant jars)
  explicitly to the lib directory for testclusters used in REST tests

• For JDK8 we still use SunJSSE in FIPS mode ( which also uses the
  BouncyCastle FIPS Cryptographic provider ) since this is what we
  have been testing with so far and this is what probably all existing
  users are currently using to run ES in FIPS 140 mode.

• Configuring any given runtime Java in FIPS mode using the system
  properties java.security.properties and java.security.policy
  with the == operator that overrides the default JVM properties
  and policy.

Running the tests in FIPS 140 approved mode doesn't require an
additional configuration either in CI workers or locally and is
controlled by specifying -Dtests.fips.enabled=true

This will not be merged until #49096 is merged, because we will be removing all the FIPS 140 related logic from CI and we will need a way to define
FIPS 140 jobs in our repo.

This is a backport of #48378 and #49319

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Build)

[elasticmachine]

Pinging @elastic/es-security (:Security/Security)

[mark-vieira]

This will not be merged until #49096 is merged, because we will be removing all the FIPS 140 related logic from CI and we will need a way to define FIPS 140 jobs in our repo.

FYI, it might be a bit until we can get that merged. I'll be out all next week and there's still testing that needs to be done here. If this is high priority perhaps we can make this compatible with the existing job definitions somehow?

[jkakavas]

FYI, it might be a bit until we can get that merged. I'll be out all next week and there's still testing that needs to be done here. If this is high priority perhaps we can make this compatible with the existing job definitions somehow?

I don't think an extra couple of weeks would be detrimental, we still run the 7.x branches in FIPS 140 with the current CI setup, so I'd prefer to not introduce any temporary setup. No harm in getting this approved, and I'll have an extra one ready to raise with a job definition for FIPS tests to go along with it once we merge #49096

[jkakavas]

The major difference with #48378 and #49319 that are being backported is here, where we conditionally use a different policy/properties file for 8

[mark-vieira]

@jkakavas Is #49096 strictly required for this? I don't want to hold this stuff up any longer for that work which requires quite a bit of testing still. Perhaps we can sync up on this.

[jkakavas]

@jkakavas Is #49096 strictly required for this? I don't want to hold this stuff up any longer for that work which requires quite a bit of testing still. Perhaps we can sync up on this.

@mark-vieira I don't think it's strictly required. This seemed like the appropriate way to trigger fips builds now that we are stripping all relevant handling from the infra side. We could trigger CI builds in another way (haven't thought what that might be), maybe you have a better idea. Let's sync today

[jkakavas]

@mark-vieira merge conflicts are taken care of and CI is green, this is ready for a review

[mark-vieira]

Minor comments but otherwise LGTM.

[mark-vieira]

The only bit that needs to be inside this ready { } block is the bit that checks runtimeJavaVersion. Everything else can be done at configuration time.

[mark-vieira]

Same as above, we can limit the surface area of ready { } here to only that bit conditional on java runtime version.