Enabling Federal Information Processing Standards (FIPS) support for IBM Cloud Pak for AIOps
Learn how to enable FIPS and run IBM Cloud Pak for AIOps on a FIPS-compliant system.
To enable support you need to install IBM Cloud Pak for AIOps on a Red Hat OpenShift Container Platform cluster that is running in a FIPS enabled mode. You also need to complete some tasks before you begin installing IBM Cloud Pak for AIOps on your cluster and complete other tasks while you are installing IBM Cloud Pak for AIOps. Depending on whether you plan to enable or set up some optional integrations, you might need to further complete tasks after your finish installing to ensure your integrations support FIPS.
Important: You can only enable FIPS support when you are installing. You cannot upgrade a non-FIPS enabled environment to a FIPS enabled environment. You also cannot backup an IBM Cloud Pak for AIOps from a non-FIPS enabled environment and restore it into a FIPS enabled environment. The remote kafka integration feature is not available on FIPS-compliant environments.
To enable FIPS support, complete the following tasks during your overall cluster and IBM Cloud Pak for AIOps installation:
-
Installing Red Hat OpenShift Container Platform and storage tasks required for compliance.
These tasks must be completed when you are installing your Red Hat OpenShift Container Platform cluster and configuring your storage before you begin to install IBM Cloud Pak for AIOps on your OpenShift cluster.
-
Installing IBM Cloud Pak for AIOps tasks required for compliance
While installing IBM Cloud Pak for AIOps you do need to complete some other required tasks to ensure you enable your environment to support FIPS.
-
Optional. Conditional tasks required for compliance
Depending on the integrations that you plan to create for your IBM Cloud Pak for AIOps environment, you need to complete other tasks to enable FIPS support. For instance if you are integrating IBM Cloud Pak for AIOps with IBM Tivoli Netcool/OMNIbus, you need to configure the integration to support FIPS.
Installing Red Hat OpenShift Container Platform and storage tasks required for compliance
- Enable FIPS support for your Red Hat OpenShift Container Platform cluster
- Enable FIPS support for your storage
1. Enable FIPS support for your Red Hat OpenShift Container Platform cluster
You must enable FIPS support on your Red Hat OpenShift Container Platform cluster before you proceed with installing IBM Cloud Pak for AIOps. When you are installing IBM Cloud Pak for AIOps, the installation process automatically detects whether FIPS support is enabled on your Red Hat OpenShift Container Platform cluster. If FIPS is enabled on Red Hat OpenShift Container Platform, FIPS support is automatically enabled for IBM Cloud Pak for AIOps.
To enable FIPS for IBM Cloud Pak for AIOps, you must first enable FIPS support on your Red Hat OpenShift Container Platform cluster by completing the following tasks as part of installing Red Hat OpenShift Container Platform:
-
Enable FIPS mode on all of your nodes. For more information, see the Red Hat OpenShift Container Platform documentation about Support for FIPS cryptography
-
Install Red Hat OpenShift Container Platform in FIPS mode. For more information, see the Red Hat OpenShift Container Platform documentation about Installing a cluster in FIPS mode.
Restriction: FIPS is supported only on x86_64 hardware.
-
Configure TLS protection for your node-to-node communication. Node-to-node communication must be TLS protected at all times.
Recommended: Configure IPSec tunnels for communication between nodes in your cluster. IPSec is the validated and recommended method for implementing security across nodes for IBM Cloud Pak for AIOps. If you require a different method to secure your nodes, you can use your preferred method.
With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel. IPsec is disabled by default when you install OpenShift 4.x clusters. IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.
For more information about configuring IPsec encryption on Red Hat OpenShift Container Platform, see the Red Hat OpenShift Container Platform documentation about Configuring IPsec encryption.
2. Enable FIPS support for your storage
If your deployment's storage must be FIPS compliant, enable any FIPS settings and support for your chosen storage. Refer to your storage provider's documentation to ensure that your storage meets this requirement.
Red Hat® OpenShift® Data Foundation and FIPS
Red Hat® OpenShift® Data Foundation uses FIPS 140-2 certified cryptographic modules. You must use cluster wide encryption, and not encrypt persistent volumes individually. This is because Red Hat OpenShift Data Foundation persistent volume
encryption is only available for block storage, and one of IBM Cloud Pak for AIOps's components, Zen, requires file storage. For more information, see the topic Cluster-wide encryption in the Red Hat OpenShift Data Foundation documentation.
Portworx and FIPS
Portworx uses FIPS 140-2 certified cryptographic modules. Portworx can encrypt each of the persistent volumes individually, or can encrypt the whole storage cluster. For more information, see the topic Create encrypted PVCs in the
Portworx documentation.
Installing IBM Cloud Pak for AIOps tasks required for compliance
With your storage configured, continue your installation of IBM Cloud Pak for AIOps on your cluster.
Ensure that you complete the required installation tasks for compliance while you are installing IBM Cloud Pak for AIOps. These tasks must be completed while you are initially installing IBM Cloud Pak for AIOps.
For more information about, and instructions, for installing IBM Cloud Pak for AIOps, see:
- For more information about installing on specific cloud platforms, see Supported cloud environments for installing IBM Cloud Pak for AIOps.
- For more information about installing IBM Cloud Pak for AIOps overall, see Production installation. If you are installing a starter installation, see Starter installation.
Important: You must ensure that you have run the Verify the installation step for your chosen installation method, and that your deployment is healthy before you proceed.
Enable two-factor authentication (2FA)
To secure your environment with multi-factor authentication, you can configure single sign-on (SSO) between IBM Cloud Pak for AIOps and an identity provider that supports 2FA, such as IBM Security Verify. The identity provider's 2FA mechanism can then be used to authenticate IBM Cloud Pak for AIOps user login. Consult your chosen identity provider's documentation to setup 2FA.
For more information about IBM Security Verify, see IBM Security Verify.
Blog: A blog that provides an example of setting up single sign-on between a IBM Cloud Pak and IBM Security Verify is here: Tutorial: IBM Cloud Pak single sign-on (SSO) integration with IBM Security Verify.
Conditional tasks required for compliance
The following tasks are required depending on the integrations you plan to create for your IBM Cloud Pak for AIOps environment:
IBM Cloud Pak for AIOps and Netcool integration compliance requirement: Enabling FIPS support
If you plan to integrate IBM Cloud Pak for AIOps with IBM Tivoli Netcool/OMNIbus, you need to configure your integration to enable FIPS support. For more information, see Enabling Federal Information Processing Standards (FIPS) support for a Netcool integration.