Known issues on FIPS-enabled clusters

The following known issues apply to services on FIPS-enabled clusters.

For a list of services that can be installed on a FIPS-enabled cluster, see Services that support FIPS.

General issues

Curl commands fail to connect to FIPS clusters because of TLS errors

Applies to: 5.2.0 and later

When you connect to a FIPS-enabled cluster, client programs such as curl defer to OpenSSL to obtain the cipher list that they use to establish connections. Some versions of OpenSSL do not come with approved TLS 1.3 ciphers, such as TLS_AES_128_GCM_SHA256.

If you see TLS errors when you use curl commands to connect to a FIPS-enabled cluster, rerun the command with the --tls-max 1.2 curl parameter, or update your client's OpenSSL version to one that does support TLS 1.3 ciphers.

You cannot connect to external SMB storage volumes on FIPS-enabled clusters

Applies to: 5.2.0 and later

The SMB CSI Driver for Kubernetes (csi-smb-driver), which is required to connect to external SMB storage volumes, is not supported on FIPS-enabled clusters.

For a list of all storage volume types that are supported on IBM Software Hub, see Managing storage volumes.

Common core services

Not all connectors are supported in a FIPS-enabled environment. See the information for the individual connectors: .
Connecting to data sources that are not FIPS-compliant may not work

Applies to: 5.2.0 and later

In a FIPS-enabled environment, you can connect to data sources that are not FIPS-compliant but it is not guaranteed or supported, and these connection attempts may fail.

Services that use the Flight service

Applies to: 5.2.0 and later

On a FIPS-enabled cluster, the Flight service blocks the connection to any data source that does not support FIPS.

Data Refinery

Data Refinery flow job fails in a FIPS cluster for a SAV target file with encryption

Applies to: 5.2.0 and later

On a FIPS-enabled cluster if you run a Data Refinery flow job where the target is an SAV file and you enter an encryption key, the job will fail.

DataStage

Cannot run a DataStage job with data from certain connections

Applies to: 5.2.0 and later

DataStage does not support the Elasticsearch connection in a FIPS-enabled environment.

DataStage pods run in FIPS-tolerant mode by default

Applies to: 5.2.0 and later

By default, DataStage PX runtimes run in FIPS-tolerant mode. If you want to run the PX runtimes in FIPS-compliant mode, you must patch the pxruntime custom resource to set FIPS_MODE to true.

Restriction: Not all connectors are available when you configure FIPS-compliant mode. For information about which connectors are available in FIPS-compliant mode, see the IBM Cloud Pak for Data connectors topic in the IBM Cloud Pak® for Data documentation.

To run the PX runtimes in FIPS-compliant mode:

  1. Log in to Red Hat® OpenShift® Container Platform as an instance administrator.
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. Get the list of PX runtimes:
    oc get pxruntime \
--namespace=${PROJECT_CPD_INST_OPERANDS}
  3. Set the PX_RUNTIME environment variable to the name of the runtime that you want to update.
  4. Patch the pxruntime custom resource to set FIPS_MODE to true:
    oc patch pxruntime ${PX_RUNTIME} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch='{"spec":{"enableFIPS": true}}'

The pods associated with the specified runtime will be restarted automatically. After the pods are restarted, the runtime runs in FIPS-compliant mode.

Execution Engine for Apache Hadoop

You cannot connect to a JDBC data source on your CDH Cluster without configuring the database to support FIPS encryption

Cloudera doesn't support FIPS for JDBC drivers. If you are using a FIPS-enabled cluster, you cannot establish a connection with a Cloudera cluster with the JDBC driver that is provided by Cloudera.

You cannot use Livy to connect to a Spark cluster without loading the digest package

Applies to: 5.2.0 and later

If you need to use Livy to connect to a Spark cluster or use any other packages that depend on the digest package, you must load the digest package from a non-IPDS compliant library. To load the digest package, run the following command.
library(digest, lib.loc='/opt/not-FIPS-compliant/R/library') 
library(sparklyr)
Note: If you load the digest package, Execution Engine for Apache Hadoop will no longer be FIPS-compliant.
You cannot connect to Impala via Execution Engine for Hadoop or Hive via Execution Engine for Hadoop data sources

Applies to: 5.2.0 and later

In FIPS-enabled clusters, you cannot connect to Impala via Execution Engine for Hadoop or Hive via Execution Engine for Hadoop data sources.

IBM Knowledge Catalog

Communication with external Kafka does not work in a FIPS-enabled cluster
Communication with external Kafka does not work in a FIPS-enabled cluster.

RStudio® Server Runtimes

If you need to use Livy to connect to a Spark cluster or use any other packages that depend on the digest package, such as sparklyr, Shiny®, arulesViz, or htmltools packages, you must load the digest package from a non-FIPS compliant library. See Using Livy to connect to a Spark cluster.

You cannot connect to a database with JDBC when the remote server does not support secure connections that use TLS 1.3 or TLS 1.2 with Extended Master Secret

Applies to: 5.2.0 and later

When IBM Software Hub is running on a FIPS-enabled cluster, you cannot connect from a notebook to a database with JDBC if the remote server does not support secure connections that use TLS 1.3 or TLS 1.2 with Extended Master Secret.

To work around this problem, you can create a custom notebook image that disables FIPS for Java. Follow these steps to create and modify the custom notebook image.

  1. Follow the documented steps to build custom runtime images.
  2. Modify the image by setting security.useSystemPropertiesFile to false in $JAVA_HOME/conf/security/java.security, as follows:
    1. Review the example code for adding customizations to images The sample code shows where to insert the following statement, between USER root:root and USER: wsbuild:wsbuild.
    2. Add this statement to the Dockerfile so that it runs the modification from root when the file runs. 
      RUN sed -i.orig -e /security.useSystemPropertiesFile=/s/true/false/ $JAVA_HOME/conf/security/java.security
      For more information about the effects of this change, see Configure OpenJDK 17 in FIPS mode.
  3. Run your notebook with the custom image that you created.

Watson OpenScale

You cannot upload training data with Cloud Object Storage
If you're using Watson OpenScale on a FIPS-enabled cluster, you cannot upload training data to Cloud Object Storage. To work around this issue, you must upload training data to Db2 to enable model evaluations.

Watson Studio

You cannot use the Visual Studio Code extension when the Cloud Pak for Data route uses reencrypt termination.

The Visual Studio Code extension does not work on a FIPS-enabled cluster when the IBM Software Hub route uses reencrypt termination.

You cannot connect to a database with JDBC when the remote server does not support secure connections that use TLS 1.3 or TLS 1.2 with Extended Master Secret

Applies to: 5.2.0 and later

When IBM Software Hub is running on a FIPS-enabled cluster, you cannot connect from a notebook to a database with JDBC if the remote server does not support secure connections that use TLS 1.3 or TLS 1.2 with Extended Master Secret.

To work around this problem, you can create a custom notebook image that disables FIPS for Java. Follow these steps to create and modify the custom notebook image.

  1. Follow the documented steps to build custom runtime images
  2. Modify the image by setting security.useSystemPropertiesFile to false in $JAVA_HOME/conf/security/java.security, as follows:
    1. Review the example code for adding customizations to images. The sample code shows where to insert the following statement, between USER root:root and USER: wsbuild:wsbuild.
    2. Add this statement to the Dockerfile so that it executes the modification from root when the file runs. 
      RUN sed -i.orig -e /security.useSystemPropertiesFile=/s/true/false/ $JAVA_HOME/conf/security/java.security

      For more information about the effects of this change, see Configure OpenJDK 17 in FIPS mode.

  3. Run your notebook with the custom image that you created.

Watson Machine Learning

Deployments with certain constricted software specifications fail after an upgrade
Applies to: 5.2.0

If you upgrade to a more recent version of IBM Software Hub and deploy an R Shiny application asset that was created by using constricted software specifications in FIPS mode, your deployment fails. Deployments that use rstudio_r4.2 or shiny-r3.6 software specifications fail after you upgrade to IBM Software Hub version 5.0. You might receive the error message Error 502 - Bad Gateway.

To prevent your deployment from failing, update the constricted specification for your deployed asset to use the latest software specification. For more information, see:

You can also delete your application deployment if you no longer need it.

watsonx.ai™

llama-4-scout-17b-16e-instruct is not supported

Applies to: 5.2.0

The llama-4-scout-17b-16e-instruct model does not run on a FIPS-enabled cluster.

llama-4-maverick-17b-128e-instruct-fp8 is not supported

Applies to: 5.2.0

The llama-4-maverick-17b-128e-instruct-fp8 model does not run on a FIPS-enabled cluster.

mistral-small-3-1-24b-instruct-2503 is not supported

Applies to: 5.2.0

The mistral-small-3-1-24b-instruct-2503 model does not run on a FIPS-enabled cluster.

watsonx.data™

Non-compliance of Kafka with FIPS-140

Applies to: 5.2.0 and later

Non-compliance of Kafka with FIPS-140 may cause security issues for users.

watsonx Orchestrate

Put a message in a queue skill of Amazon SQS is failing in the FIPS cluster

Applies to: 5.2.0

This issue occurs in the FIPS cluster when you use the Amazon SQS app. In the Put a message in a queue skill, when you enter a message in a queue and select a queue URL, and then click Apply > > Show more to connect the app, you cannot see the correct error message.

This is caused because one of the encryption algorithms that is used by the App Connect integration runtime is not compliant with FIPS. Instead, use the non-FIPS clusters where the skill works correctly.

Unable to connect to the IBM Cloud Object Storage S3 app

Applies to: 5.2.0

After you log in as the watsonx™ Orchestrate admin user and go to the skill catalog, and open IBM Cloud Object Storage S3, the application does not connect.

This is a FIPS-related issue. FIPS tolerance is required for watsonx Orchestrate On-Prem.