diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
index 570ab4a9f70e1..adf6f6878d322 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
@@ -77,6 +77,7 @@ public class GlobalBuildInfoPlugin implements Plugin<Project> {
     private static final Logger LOGGER = Logging.getLogger(GlobalBuildInfoPlugin.class);
     private static final String DEFAULT_LEGACY_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/LegacyESVersion.java";
     private static final String DEFAULT_VERSION_JAVA_FILE_PATH = "libs/core/src/main/java/org/opensearch/Version.java";
+    protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD";
     private static Integer _defaultParallel = null;
 
     private final JvmMetadataDetector jvmMetadataDetector;
@@ -112,6 +113,8 @@ public void apply(Project project) {
         BuildParams.init(params -> {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
+            var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
+            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2");
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);
@@ -129,7 +132,7 @@ public void apply(Project project) {
             params.setIsCi(System.getenv("JENKINS_URL") != null);
             params.setIsInternal(isInternal);
             params.setDefaultParallel(findDefaultParallel(project));
-            params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
+            params.setInFipsJvm(inFipsJvm);
             params.setIsSnapshotBuild(Util.getBooleanProperty("build.snapshot", true));
             if (isInternal) {
                 params.setBwcVersions(resolveBwcVersions(rootDir));
@@ -179,7 +182,7 @@ private void logGlobalBuildInfo() {
             LOGGER.quiet("  JAVA_HOME             : " + gradleJvm.getJavaHome());
         }
         LOGGER.quiet("  Random Testing Seed   : " + BuildParams.getTestSeed());
-        LOGGER.quiet("  In FIPS 140 mode      : " + BuildParams.isInFipsJvm());
+        LOGGER.quiet("  Crypto Standard       : " + Optional.ofNullable(System.getenv(OPENSEARCH_CRYPTO_STANDARD)).orElse("any-supported"));
         LOGGER.quiet("=======================================");
     }
 
diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
index cd22560af9a96..7d98785acf3b5 100644
--- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
+++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
@@ -556,7 +556,7 @@ public synchronized void start() {
         if (keystoreSettings.isEmpty() == false || keystoreFiles.isEmpty() == false) {
             logToProcessStdout("Adding " + keystoreSettings.size() + " keystore settings and " + keystoreFiles.size() + " keystore files");
 
-            keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", "-x", key));
+            keystoreSettings.forEach((key, value) -> runKeystoreCommandWithPassword(keystorePassword, value.toString(), "add", key));
 
             for (Map.Entry<String, File> entry : keystoreFiles.entrySet()) {
                 File file = entry.getValue();
@@ -738,7 +738,12 @@ private void runOpenSearchBinScriptWithInput(String input, String tool, CharSequ
     }
 
     private void runKeystoreCommandWithPassword(String keystorePassword, String input, CharSequence... args) {
-        final String actualInput = keystorePassword.length() > 0 ? keystorePassword + "\n" + input : input;
+        final String actualInput;
+        if (keystorePassword.length() > 0) {
+            actualInput = keystorePassword + "\n" + input + "\n" + input;
+        } else {
+            actualInput = input + "\n" + input;
+        }
         runOpenSearchBinScriptWithInput(actualInput, "opensearch-keystore", args);
     }
 
diff --git a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
index 325c7b0c0fbb8..3e38f9ae95dec 100644
--- a/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
+++ b/client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java
@@ -48,7 +48,6 @@
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 import org.apache.hc.core5.reactor.ssl.TlsDetails;
 import org.apache.hc.core5.util.Timeout;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -332,20 +331,9 @@ public TlsDetails create(final SSLEngine sslEngine) {
                 .setTlsStrategy(tlsStrategy)
                 .build();
 
-            var inFipsJvm = CryptoServicesRegistrar.isInApprovedOnlyMode();
-
             HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create()
                 .setDefaultRequestConfig(requestConfigBuilder.build())
                 .setConnectionManager(connectionManager)
-                .setThreadFactory((Runnable r) -> {
-                    Runnable runnable = () -> {
-                        if (inFipsJvm) {
-                            CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                        }
-                        r.run();
-                    };
-                    return new Thread(runnable, "os-client-dispatcher");
-                })
                 .setTargetAuthenticationStrategy(DefaultAuthenticationStrategy.INSTANCE)
                 .disableAutomaticRetries();
             if (httpClientConfigCallback != null) {
diff --git a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
index aab9e008ca708..c1e89664dc405 100644
--- a/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
+++ b/client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java
@@ -39,7 +39,6 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.crypto.KeyStoreFactory;
 import org.opensearch.common.crypto.KeyStoreType;
 import org.junit.AfterClass;
@@ -60,7 +59,6 @@
 import java.security.SecureRandom;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -80,17 +78,6 @@ public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
         httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true)));
         httpsServer.createContext("/", new ResponseHandler());
-        var inFipsJvm = inFipsJvm();
-        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (inFipsJvm) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable, "test-httpserver-dispatcher");
-        });
-        httpsServer.setExecutor(executor);
         httpsServer.start();
     }
 
diff --git a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
index e7c17e81dabed..49ee3373a071e 100644
--- a/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
+++ b/client/test/src/main/java/org/opensearch/client/RestClientTestCase.java
@@ -45,8 +45,6 @@
 import com.carrotsearch.randomizedtesting.annotations.TimeoutSuite;
 
 import org.apache.hc.core5.http.Header;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.junit.BeforeClass;
 
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -127,14 +125,4 @@ private static void addValueToListEntry(final Map<String, List<String>> map, fin
         values.add(value);
     }
 
-    @BeforeClass
-    public static void setFipsJvm() {
-        boolean isFipsEnabled = Boolean.parseBoolean(System.getProperty("tests.fips.enabled", "false"));
-        CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
-    }
-
-    public static boolean inFipsJvm() {
-        return CryptoServicesRegistrar.isInApprovedOnlyMode();
-    }
-
 }
diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
index 030dc15aa67fe..2d10fac45efda 100644
--- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
+++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -78,7 +78,8 @@ static List<String> systemJvmOptions(final Path config) {
                 // log4j 2
                 "-Dlog4j.shutdownHookEnabled=false",
                 "-Dlog4j2.disable.jmx=true",
-                // security manager
+                // security settings
+                enableFips(),
                 allowSecurityManagerOption(),
                 loadJavaSecurityProperties(config),
                 javaLocaleProviders()
@@ -86,6 +87,14 @@ static List<String> systemJvmOptions(final Path config) {
         ).stream().filter(e -> e.isEmpty() == false).collect(Collectors.toList());
     }
 
+    private static String enableFips() {
+        var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+            return "-Dorg.bouncycastle.fips.approved_only=true";
+        }
+        return "";
+    }
+
     private static String loadJavaSecurityProperties(final Path config) {
         var securityFile = config.resolve("fips_java.security");
         return "-Djava.security.properties=" + securityFile.toAbsolutePath();
diff --git a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
index 92313e27f0544..c553effc65ab5 100644
--- a/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
+++ b/modules/reindex/src/main/java/org/opensearch/index/reindex/Reindexer.java
@@ -45,7 +45,6 @@
 import org.apache.hc.core5.util.Timeout;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.action.DocWriteRequest;
 import org.opensearch.action.bulk.BackoffPolicy;
 import org.opensearch.action.bulk.BulkItemResponse;
@@ -183,14 +182,7 @@ private ActionListener<BulkByScrollResponse> getRemoteReindexWrapperListener(
     }
 
     static RestClient buildRestClient(RemoteInfo remoteInfo, ReindexSslConfig sslConfig, long taskId, List<Thread> threadCollector) {
-        return buildRestClient(
-            remoteInfo,
-            sslConfig,
-            taskId,
-            threadCollector,
-            Optional.empty(),
-            CryptoServicesRegistrar.isInApprovedOnlyMode()
-        );
+        return buildRestClient(remoteInfo, sslConfig, taskId, threadCollector, Optional.empty());
     }
 
     /**
@@ -207,8 +199,7 @@ static RestClient buildRestClient(
         ReindexSslConfig sslConfig,
         long taskId,
         List<Thread> threadCollector,
-        Optional<HttpRequestInterceptor> restInterceptor,
-        boolean isFipsEnabled
+        Optional<HttpRequestInterceptor> restInterceptor
     ) {
         Header[] clientHeaders = new Header[remoteInfo.getHeaders().size()];
         int i = 0;
@@ -235,16 +226,11 @@ static RestClient buildRestClient(
             }
             // Stick the task id in the thread name so we can track down tasks from stack traces
             AtomicInteger threads = new AtomicInteger();
-            c.setThreadFactory((Runnable r) -> {
-                Runnable runnable = () -> {
-                    if (isFipsEnabled) {
-                        CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                    }
-                    r.run();
-                };
-                var thread = new Thread(runnable, "os-client-" + taskId + "-" + threads.getAndIncrement());
-                threadCollector.add(thread);
-                return thread;
+            c.setThreadFactory(r -> {
+                String name = "es-client-" + taskId + "-" + threads.getAndIncrement();
+                Thread t = new Thread(r, name);
+                threadCollector.add(t);
+                return t;
             });
             // Limit ourselves to one reactor thread because for now the search process is single threaded.
             c.setIOReactorConfig(IOReactorConfig.custom().setIoThreadCount(1).build());
@@ -327,14 +313,7 @@ protected ScrollableHitSource buildScrollableResultSource(BackoffPolicy backoffP
                 RemoteInfo remoteInfo = mainRequest.getRemoteInfo();
                 createdThreads = synchronizedList(new ArrayList<>());
                 assert sslConfig != null : "Reindex ssl config must be set";
-                RestClient restClient = buildRestClient(
-                    remoteInfo,
-                    sslConfig,
-                    task.getId(),
-                    createdThreads,
-                    this.interceptor,
-                    CryptoServicesRegistrar.isInApprovedOnlyMode()
-                );
+                RestClient restClient = buildRestClient(remoteInfo, sslConfig, task.getId(), createdThreads, this.interceptor);
                 return new RemoteScrollableHitSource(
                     logger,
                     backoffPolicy,
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
index 7fbd6044d9b18..2e14df4628283 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexFromRemoteBuildRestClientTests.java
@@ -77,7 +77,7 @@ public void testBuildRestClient() throws Exception {
                 assertBusy(() -> assertThat(threads, hasSize(2)));
                 int i = 0;
                 for (Thread thread : threads) {
-                    assertEquals("os-client-" + taskId + "-" + i, thread.getName());
+                    assertEquals("es-client-" + taskId + "-" + i, thread.getName());
                     i++;
                 }
             } finally {
diff --git a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
index 2fc7ab1654d41..35fdcd07626d1 100644
--- a/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java
@@ -37,7 +37,6 @@
 import com.sun.net.httpserver.HttpsParameters;
 import com.sun.net.httpserver.HttpsServer;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.client.Request;
 import org.opensearch.client.Response;
 import org.opensearch.client.RestClient;
@@ -73,7 +72,6 @@
 import java.util.List;
 import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Consumer;
@@ -99,17 +97,6 @@ public static void setupHttpServer() throws Exception {
         SSLContext sslContext = buildServerSslContext();
         server = HttpsServer.create(address, 0);
         server.setHttpsConfigurator(new ClientAuthHttpsConfigurator(sslContext));
-        var inFipsJvm = inFipsJvm();
-        Executor executor = Executors.newFixedThreadPool(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (inFipsJvm) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable, "test-httpserver-dispatcher");
-        });
-        server.setExecutor(executor);
         server.start();
         server.createContext("/", http -> {
             assert http instanceof HttpsExchange;
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
index ffcc982c758b9..6383705149521 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java
@@ -123,9 +123,9 @@ public Optional<TransportExceptionHandler> buildHttpServerExceptionHandler(Setti
             @Override
             public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpServerTransport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
                     keyStore.load(
-                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+                        SecureNetty4HttpServerTransportTests.class.getResourceAsStream("/netty4-secure.jks"),
                         "password".toCharArray()
                     );
 
diff --git a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
index 2008c6a2e9a3a..2502a77af50e0 100644
--- a/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
+++ b/modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java
@@ -8,6 +8,7 @@
 
 package org.opensearch.transport.netty4.ssl;
 
+import org.apache.lucene.tests.util.LuceneTestCase;
 import org.opensearch.Version;
 import org.opensearch.cluster.node.DiscoveryNode;
 import org.opensearch.common.crypto.KeyStoreFactory;
@@ -66,6 +67,7 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
 
+@LuceneTestCase.AwaitsFix(bugUrl = "")
 public class SimpleSecureNetty4TransportTests extends AbstractSimpleTransportTestCase {
     @Override
     protected Transport build(Settings settings, final Version version, ClusterSettings clusterSettings, boolean doHandshake) {
@@ -79,9 +81,9 @@ public Optional<TransportExceptionHandler> buildServerTransportExceptionHandler(
             @Override
             public Optional<SSLEngine> buildSecureServerTransportEngine(Settings settings, Transport transport) throws SSLException {
                 try {
-                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.PKCS_12);
+                    final KeyStore keyStore = KeyStoreFactory.getInstance(KeyStoreType.JKS);
                     keyStore.load(
-                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.p12"),
+                        SimpleSecureNetty4TransportTests.class.getResourceAsStream("/netty4-secure.jks"),
                         "password".toCharArray()
                     );
 
diff --git a/modules/transport-netty4/src/test/resources/README.txt b/modules/transport-netty4/src/test/resources/README.txt
index c8cec5d3803a4..a1a226c5ba674 100644
--- a/modules/transport-netty4/src/test/resources/README.txt
+++ b/modules/transport-netty4/src/test/resources/README.txt
@@ -6,12 +6,12 @@
 
 # 1. Create certificate key
 
-openssl req  -x509  -sha256  -newkey rsa:2048  -keyout certificate.key  -out certificate.crt  -days 1024  -nodes
+openssl req -x509 -sha256 -newkey rsa:2048 -keyout certificate.key -out certificate.crt -days 1024 -nodes
 
 # 2. Export the certificate in pkcs12 format
 
-openssl pkcs12  -export  -in certificate.crt  -inkey certificate.key  -out server.p12  -name netty4-secure -password pass:password
+openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out netty4-secure.p12 -name netty4-secure -password pass:password
 
-# 3. Import the certificate into JDK keystore (PKCS12 type)
+# 3. Migrate from P12 to JKS keystore
 
-keytool -importkeystore -srcstorepass password  -destkeystore netty4-secure.jks -srckeystore server.p12  -srcstoretype PKCS12  -alias netty4-secure  -deststorepass password
\ No newline at end of file
+keytool -importkeystore -srcstorepass password -destkeystore netty4-secure.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias netty4-secure -deststorepass password
diff --git a/modules/transport-netty4/src/test/resources/netty4-secure.jks b/modules/transport-netty4/src/test/resources/netty4-secure.jks
new file mode 100644
index 0000000000000..d158f1fe60ef7
Binary files /dev/null and b/modules/transport-netty4/src/test/resources/netty4-secure.jks differ
diff --git a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
index 3105967cd9001..771de6de486d6 100644
--- a/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
+++ b/plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java
@@ -55,8 +55,6 @@
 import org.opensearch.transport.TransportSettings;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
-import org.junit.ClassRule;
-import org.junit.rules.ExternalResource;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -107,17 +105,6 @@ protected Collection<Class<? extends Plugin>> nodePlugins() {
 
     private static Path keyStoreFile;
 
-    @ClassRule
-    public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() {
-        @Override
-        protected void before() {
-            assumeFalse(
-                "Can't run in a FIPS JVM because none of the supported Keystore types can be used",
-                Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP))
-            );
-        }
-    };
-
     @BeforeClass
     public static void setupKeyStore() throws IOException {
         Path tempDir = createTempDir();
diff --git a/plugins/repository-s3/build.gradle b/plugins/repository-s3/build.gradle
index 22aa151c92003..aadd05d02aca9 100644
--- a/plugins/repository-s3/build.gradle
+++ b/plugins/repository-s3/build.gradle
@@ -34,6 +34,7 @@ import org.opensearch.gradle.test.RestIntegTestTask
 import org.opensearch.gradle.test.TestTask
 import org.opensearch.gradle.test.rest.YamlRestTestPlugin
 import org.opensearch.gradle.test.InternalClusterTestPlugin
+import org.opensearch.gradle.testclusters.OpenSearchCluster
 
 import static org.opensearch.gradle.PropertyNormalization.IGNORE_VALUE
 
@@ -143,6 +144,13 @@ def fixtureAddress = { fixture, name, port ->
   'http://127.0.0.1:' + ephemeralPort
 }
 
+def applyFipsConfig(OpenSearchCluster cluster) {
+  if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') {
+    cluster.keystorePassword 'notarealpasswordphrase'
+    cluster.environment 'OPENSEARCH_CRYPTO_STANDARD', 'FIPS-140-2'
+  }
+}
+
 // We test against two repositories, one which uses the usual two-part "permanent" credentials and
 // the other which uses three-part "temporary" or "session" credentials.
 
@@ -260,6 +268,7 @@ yamlRestTest {
 }
 
 testClusters.yamlRestTest {
+  applyFipsConfig(delegate)
   keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
   keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
 
@@ -292,7 +301,7 @@ testClusters.yamlRestTest {
     setting 's3.client.integration_test_eks.region', { "us-east-2" }, IGNORE_VALUE
 
     // to redirect InstanceProfileCredentialsProvider to custom auth point
-    systemProperty "aws.ec2MetadataServiceEndpointOverride", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ec2', '80')}" }, IGNORE_VALUE
+    systemProperty "aws.ec2MetadataServiceEndpoint", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ec2', '80')}" }, IGNORE_VALUE
     // to redirect AWSSecurityTokenServiceClient to custom auth point
     systemProperty "aws.stsEndpointOverride", { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-eks', '80')}/eks_credentials_endpoint" }, IGNORE_VALUE
   } else {
@@ -323,6 +332,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestMinio)
 
   testClusters.yamlRestTestMinio {
+    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
     keystore 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
     setting 's3.client.integration_test_permanent.endpoint', { "${-> fixtureAddress('minio-fixture', 'minio-fixture', '9000')}" }, IGNORE_VALUE
@@ -351,6 +361,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestECS)
 
   testClusters.yamlRestTestECS {
+    applyFipsConfig(delegate)
     setting 's3.client.integration_test_ecs.endpoint', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}" }, IGNORE_VALUE
     plugin tasks.bundlePlugin.archiveFile
     environment 'AWS_CONTAINER_CREDENTIALS_FULL_URI', { "${-> fixtureAddress('s3-fixture', 's3-fixture-with-ecs', '80')}/ecs_credentials_endpoint" }, IGNORE_VALUE
@@ -378,6 +389,7 @@ if (useFixture) {
   check.dependsOn(yamlRestTestEKS)
 
   testClusters.yamlRestTestEKS {
+    applyFipsConfig(delegate)
     keystore 's3.client.integration_test_eks.role_arn', "arn:aws:iam::000000000000:role/test"
     keystore 's3.client.integration_test_eks.role_session_name', "s3-test"
     keystore 's3.client.integration_test_eks.access_key', "access_key"
diff --git a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
index 1622a9093d765..0953e51484bd3 100644
--- a/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
+++ b/plugins/transport-reactor-netty4/src/test/java/org/opensearch/http/reactor/netty4/ReactorHttpClient.java
@@ -13,7 +13,6 @@
 
 package org.opensearch.http.reactor.netty4;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.xcontent.XContentType;
 import org.opensearch.core.xcontent.ToXContent;
@@ -66,7 +65,6 @@
 public class ReactorHttpClient implements Closeable {
     private final boolean compression;
     private final boolean secure;
-    private final boolean fipsEnabled;
 
     static Collection<String> returnHttpResponseBodies(Collection<FullHttpResponse> responses) {
         List<String> list = new ArrayList<>(responses.size());
@@ -87,7 +85,6 @@ static Collection<String> returnOpaqueIds(Collection<FullHttpResponse> responses
     public ReactorHttpClient(boolean compression, boolean secure) {
         this.compression = compression;
         this.secure = secure;
-        this.fipsEnabled = CryptoServicesRegistrar.isInApprovedOnlyMode();
     }
 
     public static ReactorHttpClient create() {
@@ -186,15 +183,7 @@ private List<FullHttpResponse> sendRequests(
         final Collection<FullHttpRequest> requests,
         boolean orderer
     ) {
-        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1, (Runnable r) -> {
-            Runnable runnable = () -> {
-                if (fipsEnabled) {
-                    CryptoServicesRegistrar.setApprovedOnlyMode(true);
-                }
-                r.run();
-            };
-            return new Thread(runnable);
-        });
+        final NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup(1);
         try {
             final HttpClient client = createClient(remoteAddress, eventLoopGroup);
 
diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
index 938c81762c75b..119e09d405081 100644
--- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
+++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java
@@ -40,7 +40,6 @@
 import org.apache.logging.log4j.core.config.Configurator;
 import org.apache.lucene.util.Constants;
 import org.apache.lucene.util.StringHelper;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.OpenSearchException;
 import org.opensearch.Version;
 import org.opensearch.cli.KeyStoreAwareCommand;
@@ -52,7 +51,6 @@
 import org.opensearch.common.logging.LogConfigurator;
 import org.opensearch.common.logging.Loggers;
 import org.opensearch.common.network.IfConfig;
-import org.opensearch.common.settings.FipsSettings;
 import org.opensearch.common.settings.KeyStoreWrapper;
 import org.opensearch.common.settings.SecureSettings;
 import org.opensearch.common.settings.Settings;
@@ -197,14 +195,9 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot
             BootstrapSettings.CTRLHANDLER_SETTING.get(settings)
         );
 
-        var isFipsEnabled = FipsSettings.FIPS_ENABLED.get(settings);
-        try {
-            var isRunningInFipsMode = CryptoServicesRegistrar.setApprovedOnlyMode(isFipsEnabled);
-            if (isRunningInFipsMode) {
-                LogManager.getLogger(Bootstrap.class).info("running in FIPS mode");
-            }
-        } catch (Exception e) {
-            throw new BootstrapException(e);
+        var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD");
+        if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) {
+            LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-2 mode");
         }
 
         // initialize probes before the security manager is installed
diff --git a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
index 142ccd92f3c7c..f769f8729c25b 100644
--- a/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
+++ b/server/src/main/java/org/opensearch/common/settings/ClusterSettings.java
@@ -670,7 +670,6 @@ public void apply(Settings value, Settings current, Settings previous) {
                 ClusterManagerTaskThrottler.THRESHOLD_SETTINGS,
                 ClusterManagerTaskThrottler.BASE_DELAY_SETTINGS,
                 ClusterManagerTaskThrottler.MAX_DELAY_SETTINGS,
-                FipsSettings.FIPS_ENABLED,
                 // Settings related to search backpressure
                 SearchBackpressureSettings.SETTING_MODE,
 
diff --git a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java b/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
deleted file mode 100644
index 9f667b1497a2e..0000000000000
--- a/server/src/main/java/org/opensearch/common/settings/FipsSettings.java
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- * SPDX-License-Identifier: Apache-2.0
- *
- * The OpenSearch Contributors require contributions made to
- * this file be licensed under the Apache-2.0 license or a
- * compatible open source license.
- */
-
-package org.opensearch.common.settings;
-
-import org.opensearch.common.settings.Setting.Property;
-
-/**
- * Settings used for NIST FIPS 140-2 compliance
- */
-public class FipsSettings {
-
-    public static final Setting<Boolean> FIPS_ENABLED = Setting.boolSetting("fips.approved", false, Property.NodeScope);
-
-}
diff --git a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
index 9e02f9ee86744..cf6ce7d014199 100644
--- a/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
+++ b/test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpFixtureWithEC2.java
@@ -90,9 +90,9 @@ protected HttpHandler createHandler(final String[] args) {
     protected String buildCredentialResponse(final String ec2AccessKey, final String ec2SessionToken) {
         return "{"
             + "\"AccessKeyId\": \"" + ec2AccessKey + "\","
-            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_DATE_TIME) + "\","
+            + "\"Expiration\": \"" + ZonedDateTime.now().plusDays(1L).format(DateTimeFormatter.ISO_INSTANT) + "\","
             + "\"RoleArn\": \"arn\","
-            + "\"SecretAccessKey\": \"secret\","
+            + "\"SecretAccessKey\": \"secret_key\","
             + "\"Token\": \"" + ec2SessionToken + "\""
             + "}";
     }
diff --git a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
index 4572e3c59b1de..153a64a23642c 100644
--- a/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
+++ b/test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java
@@ -254,8 +254,6 @@ public void tearDown() throws Exception {
 
     public static final String DEFAULT_TEST_WORKER_ID = "--not-gradle--";
 
-    public static final String FIPS_SYSPROP = "tests.fips.enabled";
-
     static {
         TEST_WORKER_VM_ID = System.getProperty(TEST_WORKER_SYS_PROPERTY, DEFAULT_TEST_WORKER_ID);
         setTestSysProps();
@@ -363,12 +361,6 @@ protected void afterIfSuccessful() throws Exception {}
     // setup mock filesystems for this test run. we change PathUtils
     // so that all accesses are plumbed thru any mock wrappers
 
-    @BeforeClass
-    public static void setFipsJvm() throws Exception {
-        var runInApprovedMode = Boolean.parseBoolean(System.getProperty(FIPS_SYSPROP));
-        CryptoServicesRegistrar.setApprovedOnlyMode(runInApprovedMode);
-    }
-
     @BeforeClass
     public static void setFileSystem() throws Exception {
         PathUtilsForTesting.setup();
diff --git a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
index 2b5f3fdc3e6b4..42ae6a57b829a 100644
--- a/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
+++ b/test/framework/src/main/java/org/opensearch/test/junit/listeners/ReproduceInfoPrinter.java
@@ -193,9 +193,6 @@ private ReproduceErrorMessageBuilder appendESProperties() {
             appendOpt("tests.locale", Locale.getDefault().toLanguageTag());
             appendOpt("tests.timezone", TimeZone.getDefault().getID());
             appendOpt("runtime.java", Integer.toString(Runtime.version().version().get(0)));
-            appendOpt(OpenSearchTestCase.FIPS_SYSPROP, System.getProperty(OpenSearchTestCase.FIPS_SYSPROP));
-            appendOpt("org.bouncycastle.jca.enable_jks", "true");
-            appendOpt("org.bouncycastle.rsa.allow_multi_use", "true");
             return this;
         }