Configuring FIPS support on OpenShift
Configure support for FIPS (Federal Information Processing Standards) on the cluster where you will install IBM API Connect.
Before you begin
- Only FIPS version 140-2 is supported
- FIPS must be configured on the cluster before you install API Connect
- You must deploy API Connect 10.0.8.0 or
later, with DataPower Gateway 10.6.2 or later For DataPower, refer to the following documentation for the most up-to-date information on DataPower FIPS support:
- Known limitations and restrictions
- Cloud Pak for Integration - Gateway instance additionally notes the FIPS and FIPS-Wall status
About this task
To be FIPS compliant, an organization must adhere to the various data security and computer system standards outlined in the FIPS requirements. FIPS compliance for API Connect is supported by implementing a "FIPS wall".
- What is FIPS?
- Federal Information Processing Standards (FIPS) are standards and guidelines issued by the
National Institute of Standards and Technology (NIST) for federal government computer systems. The
standards are developed when there are compelling federal government requirements for standards,
such as for security and interoperability, but acceptable industry standards or solutions do not
exist. Government agencies and financial institutions use these standards to ensure that products
conform to specified security requirements.
API Connect supports version 140-2 of the FIPS requirements, implemented using the "FIPS wall" approach.
- What is a FIPS wall?
- The "FIPS wall" is a boundary approach to FIPS compliance that is used by IBM products. All pods
in the cluster are FIPS-tolerant (the pods can run without issues on a FIPS-enabled OpenShift
cluster), while creating a compliant "boundary" that is secured at external points of contact (known
as "touch points").
Traffic inside the boundary is secure because the communication between nodes is automatically encrypted at the OpenShift Container Platform level using the IPSec protocol. Traffic within any node happens in-memory, so it never leaves the node. The following diagram illustrates a typical OpenShift cluster that is configured to support the FIPS wall. In the diagram, the "wall" is represented with a heavy black border. Communications between pods within the border are secured with IPSec encryption, and communications that cross the border to external devices are secured using other means for example, TLS encryption).
- What are the cluster requirements to support a FIPS wall?
-
- FIPS is enabled on the cluster during installation (by setting
fips: true
in the install-config.yaml file) - FIPS is enabled for node-to-node communication (using the OVN-Kubernetes Container Network Interface cluster network provider, and with IPSec enabled)
- The etcd key-value store is encrypted with
aescbc
- Storage is encrypted with FIPS ciphers
- Runtimes are managed using Kubernetes CRI-O (all OCP deployments use CRI-O by default)
- FIPS is enabled on the cluster during installation (by setting
- What are the Red Hat OpenShift Container Platform dependencies?
- API Connect 10.0.9.0
can be deployed with the following version of OpenShift Container Platform (OCP):
- version 4.14 - 4.17: supported on Red Hat Enterprise Linux 8.6, 8.7, and 8.8; on-going certification for FIPS 140-2 and 140-3
- Current status on FIPS certification: Compliance Activities and Government Standards in the Red Hat Customer Portal
Install and configure OpenShift Container Platform
Configure settings for FIPS and IPSec, install the OpenShift cluster, and then configure the cluster to enable encryption and provide storage.
Procedure
Install API Connect
Install API Connect on the OpenShift cluster, and ensure that server connections support FIPS.