Enabling IBM Match 360 for FIPS compliance

Additional cluster configuration is required to enable IBM® Match 360 to be installed and used on a Federal Information Processing Standards (FIPS) 140-2 compliant Red Hat® OpenShift® cluster.

Required role: To complete this task, you must be a cluster administrator.

To enable IBM Match 360 to be FIPS 140-2 compliant:

1. Enable FIPS mode on the cluster. For details, see Enabling FIPS on your Red Hat OpenShift cluster.
2. Install Cloud Pak for Data. For details, see Installing the IBM Cloud Pak for Data platform and services.
3. Configure the APISever custom resource (CR) to use a specific custom TLS security profile for the control plane. Run the following command:

   oc patch APIServer cluster --type='json' --patch '[{"op":"add","path":"/spec/tlsSecurityProfile","value":{"custom": { "ciphers" : [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA" ] }, "type": "Custom"}}]' -n ibm-common-services

   After running this command, it can take 15–30 minutes for the new TLS security profile to take effect.