Step 1: (Optional) Enable FIPS Mode
If your cluster must be FIPS-compliant, you must enable FIPS mode at the operating system level before installing data-fabric software. If FIPS compliance is not needed, you can skip this step.
This page describes how to enable FIPS mode for each of the operating systems where it is supported. For more information about FIPS, see FIPS Compliance for HPE Ezmeral Data Fabric and this page.
When you enable FIPS mode at the operating system level, the HPE Ezmeral Data Fabric platform is automatically installed in FIPS mode with FIPS-compliant BCFKS key and trust stores.
All FIPS 140-2 Level 1 Linux operating system distributions supported by the HPE Ezmeral Data Fabric have a way of enabling FIPS mode at the operating system level. However, enabling FIPS mode at the operating system level covers only the use of FIPS-compliant system libraries (OpenSSL), and not the additional packages that use cryptography that are not part of the operating system – notably JDK 11.
- Enabling FIPS mode at the operating system level automatically causes FIPS-compliant mode to be enabled in the HPE Ezmeral Data Fabric.
- FIPS compliance is enforced on a per-node level. It is possible for some nodes in a cluster to run in FIPS mode while others run in non-FIPS-compliant mode. Different nodes running in mixed configuration can communicate with each other as long as the cryptographic algorithms used for securing network data are FIPS-compliant. The AES-256 GCM cryptographic algorithm and TLS 1.2 and 1.3 protocols used to secure network data in previous data-fabric releases are FIPS compliant.
Determining if the Operating System is FIPS-Enabled
If you don’t know the current FIPS status for a node, you can use maprcli
commands to determine whether FIPS mode is enabled at the operating system. See Determining if a Host Is in FIPS Mode.
Enabling FIPS Mode in Red Hat Enterprise Linux 8
Setting the RHEL 8 operating system to FIPS mode automatically makes the FIPS 140-2 Level 1 certified RedHat OpenSSL 1.1.1 library available with all non-FIPS approved cryptographic algorithms disabled.
You can install the RHEL 8 operating system with FIPS mode enabled by adding the
fips=1 option to the kernel command line during system installation. This
is the recommended way to enable FIPS mode, as opposed to enabling FIPS mode later, because
this ensures the system generates all cryptographic keys with FIPS-approved algorithms.
fips-mode-setup -enable command, and then reboot the
system:# fips-mode-setup --enable
Setting system policy to FIPS.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
# reboot# fips-mode-setup --check
FIPS mode is enabledEnabling FIPS Mode in Ubuntu 18.04
- Install the Ubuntu Advantage
tools:
# sudo apt update && sudo apt install ubuntu-advantage-tools - 2. If you are not using the Ubuntu PRO images, you need to obtain the UA token from
your Ubuntu One account under the Your Paid Subscriptions header,
save it, and then attach it to the Ubuntu
system:
# sudo ua attach <token> - Enable FIPS, including security updates, and verify the
status:
To enable only validated FIPS without the security updates (not recommended), which results in updating only validated packages upon revalidation, use# sudo ua enable fips-updates # sudo ua statussudo ua enable fipsinstead ofsudo ua enable fips-updates. - Reboot the system for the changes to take effect. After rebooting, verify that FIPS is
enabled:
# cat /proc/sys/crypto/fips_enabled 1
Enabling FIPS Mode in SUSE Enterprise Linux 15 SP2
- Install the FIPS pattern:
$ sudo zypper in -t pattern fips - Assuming that the boot partition is not on a separate partition, edit
/etc/default/grubto addfips=1toGRUB_CMDLINE_LINUX_DEFAULT. For example:GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1" - Save your changes, and rebuild the grub
partition:
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg $ sudo mkinitrd - Reboot, and verify your changes:
$ sudo sysctl -a | grep fips crypto.fips_enabled = 1