FIPS Compliance for HPE Ezmeral Data Fabric
Describes how the HPE Ezmeral Data Fabric complies with Federal Information Processing Standard (FIPS) 140-2 Level 1.
Release 7.0.0 and later releases of the HPE Ezmeral Data Fabric provide FIPS compliance with some restrictions.
Considerations for FIPS Support
- Release 7.0.0 supports FIPS for new installations only.
- Release 7.0.0 supports FIPS only on Red Hat Enterprise Linux (RHEL). For the supported RHEL versions, see the Operating System Support Matrix.
- Upgrades are not supported. You cannot upgrade from a non-FIPS cluster to a FIPS-compliant cluster in release 7.0.0.
- Some, but not all, EEP components support FIPS. For more information, see What's New in EEP 8.1.0.
- For manual installations, FIPS mode implies secure mode as well. Thus, on a
FIPS-enabled node,
-secure
is the default, whereas in a regular, non-FIPS-enabled node,-unsecure
is the default. - The HPE Ezmeral Data Fabric Object Store is not FIPS compliant.
- Only the operating systems listed on this page are FIPS compliant for the HPE Ezmeral Data Fabric. Other operating systems either are undergoing testing or will never be FIPS compliant. CentOS 8.x and the newer CentOS Stream, for example, are not FIPS compliant with the HPE Ezmeral Data Fabric. CentOS 8 users who need to run Data Fabric software in a FIPS-validated configuration should migrate to RHEL 8.x.
About FIPS and 140-2 Level 1
The Federal Information Processing Standard (FIPS) is a US government standard used to approve cryptographic modules. FIPS-validated products give users the assurance that data within the product is protected using cryptographic algorithms meeting the stringent guidelines and testing procedures established by the FIPS standard. FIPS was established by the National Institute of Standards and Technology (NIST), and defines critical security parameters that vendors must use for encryption. Products sold to the US government must meet FIPS validation criteria. In addition, there is a growing need by organizations processing sensitive data, such as banks, financial institutions, legal and medical institutions, to have the products that they use be FIPS 140-2/3 validated.
FIPS 140-2 requires that any hardware and software cryptographic module implement algorithms from an approved list. FIPS-validated algorithms cover both symmetric and asymmetric encryption algorithms as well as the use of hash standards and message authentication. FIPS 140-2 specifies multiple levels of security, with level 1 being the least secure and level 4 being the most secure. In particular, FIPS 140-2 Level 1 compliance is applicable to software-only distributions such as the HPE Ezmeral Data Fabric. FIPS 140-2 Level 2 and above require control of physical security mechanisms, which do not apply to the Data Fabric platform. For more information about the different levels here.
Data Fabric Approach to FIPS Level 1 Compliance
The HPE Ezmeral Data Fabric solution is installed on user-supplied operating systems, with the JDK supplied by the user. HPE Ezmeral Data Fabric does not bundle the operating system or associated libraries, such as OpenSSL, with the products. Neither does it bundle the JDK.
- Uses the OpenSSL cryptographic module distributed in operating systems supported by the Data Fabric core platform that have obtained FIPS 140-2 Level 1 approval. These include:
- For all supported operating systems listed above, uses the Java FIPS API from Bouncy Castle (CMVP #3514) which has FIPS 140-2 Level 1 approval.
- Includes enhancements to the Data Fabric core platform so that all components use only FIPS 140-2 Level 1-validated cryptography when FIPS mode is enabled, and ensures that no sensitive data is stored in plain text.
FIPS 140-2 Certifications
Components | Operating System / Module | Certification |
---|---|---|
Java Components | Linux CentOS/SLES/Ubuntu Bouncy Castle BC-FJA (FIPS Java API) v1.0.2.1 |
|
C/C++ Components | Ubuntu 18.04 OpenSSL Cryptographic Module 2.1 |
|
Ubuntu 20.04 OpenSSL Cryptographic Module |
|
|
RedHat Enterprise Linux 8 OpenSSL Cryptographic Module rhel8.20200305 |
|
|
SUSE Linux Enterprise Server (SLES) 15 SP 2 |
|
Interoperability in Mixed-Mode Clusters
Both FIPS-compliant and regular installations work seamlessly on a single cluster and across cluster. Interoperability is supported for mixed-mode clusters running a combination of FIPS-compliant and non FIPS-compliant solutions. Thus, there will be no disruption in operations during a rolling upgrade.
Sensitive Data Is Protected
All sensitive data such as key and trust store passwords, as well as CLDB and DARE master keys, will be protected using FIPS 140-2 Level 1 compliant cryptography. No sensitive data such as passwords and keys are stored in plain text.