Enabling and disabling FIPS mode

After you install IBM® Cloud Private, you can enable or disable Federal Information Processing Standard (FIPS) 140-2 compliance for IBM Cloud Private management ingress (management console), NGINX ingress controller (ingress service), image manager, Docker registry, and WebSphere Liberty Application Server (authentication manager).

By default, FIPS compliance mode is disabled.

Required user type or access level: Cluster administrator or team administrator.

Enable or disable FIPS mode for IBM Cloud Private management ingress

  1. Log on to the management console.
  2. Download the icp-management-ingress-3.2.1.tgz chart.

  3. Copy the chart to a temporary location.

    • For a Linux® cluster, run the following command:

      docker run --rm -e LICENSE=accept -i -v /tmp:/tmp ibmcom/icp-inception-amd64:3.2.1-ee cp /addon/icp-management-ingress-3.2.1.tgz /tmp

    • For a Linux® on Power® (ppc64le) cluster, run the following command:

      docker run --rm -e LICENSE=accept -i -v /tmp:/tmp ibmcom/icp-inception-ppc64le:3.2.1-ee cp /addon/icp-management-ingress-3.2.1.tgz /tmp

  4. Configure the helm command line interface (CLI) as an Admin user. For more information about configuring the Helm CLI, see Installing the Helm CLI (helm).

  5. To enable FIPS mode, run the following commands:

    helm get values --tls icp-management-ingress > /tmp/old-value.yaml
helm upgrade --set fips_enabled=true icp-management-ingress -f /tmp/old-value.yaml /tmp/icp-management-ingress-3.2.1.tgz --tls

  6. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  7. Check the icp-management-ingress container log to verify whether FIPS mode is enabled. In the following example, icp-management-ingress-kj5z6 is the pod name.

    kubectl logs icp-management-ingress-kj5z6 | grep FIPS

    Following is a sample output:

    2018/09/28 09:24:56 [notice] 20#20: FIPS_mode_set() successfully (SSL:)

To disable FIPS mode, run the following command:

helm upgrade --set fips_enabled=false icp-management-ingress /tmp/icp-management-ingress-3.2.1.tgz --tls

Enable or disable FIPS mode for NGINX ingress controller

  1. Log on to the management console.
  2. Download the nginx-ingress-3.2.1.tgz chart.

  3. Copy the chart to a temporary location.

    • For a Linux® cluster, run the following command:

      docker run --rm -e LICENSE=accept -it -v /tmp:/tmp ibmcom/icp-inception-amd64:3.2.1-ee cp /addon/nginx-ingress-3.2.1.tgz /tmp

    • For a Linux® on Power® (ppc64le) cluster, run the following command:

      docker run --rm -e LICENSE=accept -it -v /tmp:/tmp ibmcom/icp-inception-ppc64le:3.2.1-ee cp /addon/nginx-ingress-3.2.1.tgz /tmp

  4. Configure the helm command line interface (CLI) as an Admin user. For more information about configuring the Helm CLI, see Installing the Helm CLI (helm).

  5. To enable FIPS mode, run the following commands:

    helm get values --tls nginx-ingress > /tmp/old-value.yaml
helm upgrade --set fips_enabled=true nginx-ingress -f /tmp/old-value.yaml /tmp/nginx-ingress-3.2.1.tgz --tls

  6. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  7. Check the NGINX ingress controller container log to verify whether FIPS mode is enabled. In the following example, nginx-ingress-controller-qhczr is the pod name.

    kubectl logs nginx-ingress-controller-qhczr | grep FIPS

    Following is a sample output:

    2018/09/28 09:24:56 [notice] 20#20: FIPS_mode_set() successfully (SSL:)

To disable FIPS mode, run the following command:

helm upgrade --set fips_enabled=false nginx-ingress /tmp/nginx-ingress-3.2.1.tgz --tls

Enable or disable FIPS mode for IBM Cloud Private image manager

To enable FIPS mode for IBM Cloud Private image manager, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the image manager StatefulSet.

    kubectl edit StatefulSets image-manager -n kube-system

  3. Change the value of the environment variable named FIPS_ENABLED to true for container image-manager.

  4. Save the StatefulSet.

To disable FIPS mode for IBM Cloud Private image manager, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the image manager StatefulSet.

    kubectl edit StatefulSets image-manager -n kube-system

  3. Change the value of the environment variable named FIPS_ENABLED to false for container image-manager.

  4. Save the StatefulSet.

Enable or disable FIPS mode for Docker registry

To enable FIPS mode for Docker registry, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the image manager StatefulSet.

    kubectl edit StatefulSets image-manager -n kube-system

  3. Change the value of the environment variable named FIPS_ENABLED to true for container icp-registry.

  4. Save the StatefulSet.

To disable FIPS mode for IBM Cloud Private image manager, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the image manager StatefulSet.

    kubectl edit StatefulSets image-manager -n kube-system

  3. Change the value of the environment variable named FIPS_ENABLED to false for container icp-registry.

  4. Save the StatefulSet.

Enable or disable FIPS mode for authentication manager

To enable FIPS mode for authentication manager, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the platform-auth-idp configmap.

    kubectl -n kube-system edit configmap platform-auth-idp

  3. Change the value of the variable named FIPS_ENABLED to true.

  4. Save the configmap.

  5. Restart the auth-idp pods by deleting them.

    kubectl -n kube-system delete pod -l k8s-app=auth-idp

  6. Wait for some time for the pods to restart. Check the status.

    kubectl -n kube-system get pods | grep auth-idp

    When the status of all auth-idp pods shows 4/4 Running, the pods are ready.

To disable FIPS mode for authentication manager, run these commands:

  1. Set up kubectl CLI. See Accessing your cluster from the Kubernetes CLI (kubectl).

  2. Edit the platform-auth-idp configmap.

    kubectl -n kube-system edit configmap platform-auth-idp

  3. Change the value of the variable named FIPS_ENABLED to false.

  4. Save the configmap.

  5. Restart the auth-idp pods by deleting them.

    kubectl -n kube-system delete pod -l k8s-app=auth-idp

  6. Wait for some time for the pods to restart. Check the status.

    kubectl -n kube-system get pods | grep auth-idp

    When the status of all auth-idp pods shows 4/4 Running, the pods are ready.